PRIVACY POLICY – PROCESSING OF PERSONAL DATA (GDPR) BY Kiltse
DICTIONARY
1.1. Kiltse
Kiltse – the legal entity, IO Line Limited with a registered office in Sokratous, 2 Mesa Geitonia, 4006 Limassol, Cyprus, company number: HE 440516, VAT: CY10440516Z
e-mail: [email protected]
1.2. Data Controller
IO Line Limited with a registered office in Sokratous, 2 Mesa Geitonia, 4006 Limassol, Cyprus, company number: HE 440516, VAT: CY10440516Z
e-mail: [email protected]
1.3. Personal Data—information about a natural person already identified or identifiable through one or several specific factors determining physical, physiological, genetic, psychological, economic, cultural, or social identity, including image, voice record, contact details, localization data, information included in correspondence, and information gathered with recording technology or other similar technology.
1.4. Policy – This policy of processing private data.
1.5. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons concerning the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (GDPR).
1.6. Data subject – natural person, who is a Customer or a Counterparty, to whom personal data processed by the Administrator applies to
1.7. Customer – natural person to whom the data processed by the Data Controller concern, who purchases goods in the Online Shop or/and uses services related to the purchase of goods in the Online Shop, also a natural person who is an employee, associate, person in charge, etc. of legal person or entity without legal personality, to whom the data processed by the Data Controller concern, acting on behalf or for the benefit of person, who purchase goods in Online Shop or/and uses services related to purchase of goods in Online Shop.
1.8. Counterparty – natural person to whom the data processed by the Data Controller concerns, including natural persons who are employees, associates, people in charge, etc. of legal person or entity without legal personality, that collaborates (e.g., provides goods to the Online Shop) or provides services for the Data Collector
1.9. Online Shop – an online platform under the address https://kiltse.com which enables you to get acquainted with the offer of the Data Controller, through which a Customer can purchase goods from the Data Controller, and which provides a Customer other services related to the purchase of goods.
PROCESSING OF PERSONAL DATA BY DATA CONTROLLER:
2.1. Due to running economic activity, the Data Controller gathers and processes Personal Data under relevant regulations of law, especially GDPR, and rules of processing data specified in these regulations.
2.2. Data Controller:
2.2.1. Provides clarity of data processing;
2.2.2. Always informs about processing data at the moment of gathering them, especially about the purpose and legal grounds of personal data processing, unless he is not obliged to do so under separate regulations;
2.2.3. It cares that data be gathered only to the extent necessary for a given purpose and processed within the required period.
2.3. While processing data, the Data Controller ensures its safety and confidentiality and access to information about processing to data subjects. If, despite the application of safety measures, a breach of personal data protection takes place (e.g., „data leak” or loss) and such a breach could bring a high risk of violation of law or data subject liberty, the Data collector will inform the subjects of data about such incident in accordance to legal regulations.
CONTACT WITH DATA CONTROLLER AND DATA PROTECTION OFFICER:
3.1. Contact with the Data Controller is possible through the e-mail address [email protected] or correspondence address:
Carrer del Puig de Pollenca 71A Esc 2, 2B, 07015 Palma, Spain
3.2. The Data Controller is not obliged to appoint a Data Protection Officer. The data controller analyzed this matter.
PERSONAL DATA SAFETY:
4.1. To ensure data integrity and confidentiality, the Data Controller implemented procedures enabling access to personal data only to authorized persons and only to the extent essential to their tasks. The Data Controller also applies organizational and technical solutions to ensure authorized persons register and perform all personal data operations.
4.2. The Data Controller takes all necessary actions to ensure that his subcontractors and other cooperating subjects also guarantee the implementation of appropriate safety measures in all circumstances of processing personal data on the Data Controller’s commission.
4.3. The Data Controller makes up-to-date risk analysis and monitors the adequacy of applied data protection to identify threats. In case of necessity, the Data Controller applies additional measures to increase data safety.
PURPOSES AND LEGAL GROUNDS FOR DATA PROCESSING:
5.1. Personal data of customers is processed in the following cases:
5.1.1. registration of an account in the Online Shop of Data. Purpose: creating and managing an individual account. Legal ground: processing is necessary for the performance of Account service (article 6 par. one letter b of GDPR);
5.1.2. Realization of Orders in an Online Shop. Purpose: performance of purchase contract. Legal ground: the processing is necessary for the performance of the purchase contract (article 6 par. one letter b of GDPR);
5.1.3 I am using online payment services. Purpose: performance of purchase contract. Legal ground: the processing is necessary for the performance of the purchase contract (article 6 par. one letter b of GDPR);
5.1.4. subscription to Information Bulletin (Newsletter). Purpose: information about products and offers. Legal ground: consent of the Data Subject to perform the contract for the provision of the Newsletter service (article 6 par. one letter a of GDPR);
5.2. Personal data of Data Subjects is also processed in the following cases:
5.2.1. e-mail and regular mail correspondence. When inquiries are directed to the Data Controller via e-mail or regular mail related to the purchase of goods to the sender or other contract entered with him, personal data included in this correspondence is processed only for communication and solving the issues to which correspondence refers.
The legal ground for processing is the legally justified interest of the Data Collector (article 6 paragraph 1 letter f of GDPR) based on correspondence directed to him regarding his economic activity.
The Data Controller processes personal data that is important to the correspondence issue. The whole correspondence is stored in a way that ensures the safety of personal data (and other information) contained in it and is disclosed only to authorized persons.
5.2.2. Social media portal profiles. Data Controller has public profiles on social media
portals, e.g., Instagram and Facebook.
Because of this, they process data left by people who visit these profiles (including comments, likes, and online identifiers).
Personal Data of these people are processed:
– to enable their activity on these profiles;
– for effectively running profiles by presenting to users informative portals about initiatives and other activities of the Data Controller and for promoting various events, services, and products;
– for statistic and annalistic purposes;
– to promote your brand and improve the quality of services provided.
The legal grounds for processing Personal Data are the legally justified interests of the Data Controller (article 6 paragraph 1 letter f of GDPR).
ATTENTION: The abovementioned information does not apply to personal data processing by administrators of social media portals (e.g., Instagram, Facebook).
5.2.3. processing personal data of Staff members of Data Subjects. Due to entering into contracts regarding running economic activity, the Data Controller obtains data on people involved in the performance of the agreement (e.g., persons authorized to contact, persons executing orders, etc.) from Data Subjects. The scope of the data transmitted is, in any event, limited to what is necessary for the performance of the agreement and normally does not include information other than the first name and surname and official contact details.
Such personal data are processed to realize the legally justified interest of the Data Controller and his Contractor (article 6 paragraph 1 letter f of GDPR), based on enabling him to properly and effectively perform the contract. Such data may be disclosed to third parties involved in contract performance.
Data are processed for the period necessary to realize the abovementioned interests and fulfill legal obligations.
5.2.4. gathering data as a matter of business contacts. Due to running economic activity, the Data Controller also gathers personal data in other cases – e.g., during business meetings or via the exchange of business cards – to initiate and maintain business contacts. The legal ground for processing data is, in this matter, the justified interest of the Data Controller (article 6 paragraph 1 letter f of GDPR) based on creating a network of contact regarding running economic activity.
Personal data gathered in these circumstances are processed only for the purpose they were gathered; the Data Controller guarantees their proper protection.
5.2.5. Invoicing or billing for the realization of the contract. Personal data is processed only to the extent necessary for invoicing or billing. The legal ground for processing is its indispensability to fulfill the contract (article 6 paragraph 1 letter b of GDRP).
5.2.6. Vindication of claims related to fulfillment of the contract. For this purpose, personal data is processed only to the extent necessary to vindicate claims. The legal ground for processing is its indispensability to realize the legally justified interest of the Data Controller (article 6 paragraph 1 letter f of GDPR).
SERVICE PROVIDERS
6.1. Due to running economic activity that requires the processing of personal, personal data may be disclosed to external entities, including providers of IT and technical support services, entities providing accounting services, postal operations, couriers, marketing or recruitment agencies, and legal offices.
STATE AUTHORITIES
6.2. The Data Controller reserves the right to disclose or provide information about the Subject of Personal Data to competent state authorities or third parties that request such data only based on proper legal grounds and in compliance with the applicable provisions of the law.
6.3. Personal data will also be provided to competent state authorities, in particular to Courts, Prosecutors, Police, the President of the Data Protection Office (formerly Inspector General for Personal Data Protection), the President of the Office for Competition and Consumer Protection, and others that request such data from the Data Controller.
DATA TRANSMISSION OUTSIDE THE EEA:
7.1. The protection level of personal data outside the European Economic Area („EEA”) differs from the one guaranteed by European law. For this reason, the Data Controller transfers Personal Data outside the EEA only if necessary and with appropriate protection.
COOKIES, IP ADDRESSES.
8.1. When you use an Online Shop, it automatically collects data about a Customer through small files called ‘cookies.’ The Administrator saves these files on the terminal device of the person visiting the Online Shop if the web browser has a function enabled to do so. A cookie file usually contains the domain name from which it comes, its “expiration time,” and an individual, randomly selected number identifying this file. Information collected using such files helps the Data Collector adjust products offered to individual preferences and actual needs of visitors at the Online Shop. They also provide the opportunity to develop general statistics of visits to the Online Shop. The Google Analytics system can also collect this data, a system of internet analytics that gives insight into the online shop data traffic and demographic data of people who visit the online shop, which is used to conduct marketing activities. A person who visits the online shop and disagrees with the functioning of the Google Analytics system should block cookies.
8.2. The Data Controller uses two kinds of cookies files:
Session cookie: Recorded information is deleted from a device’s memory after a session of a given web browser or after a computer is turned off.
– Persistent cookies – remain in the memory of the end device until the browser user manually deletes them or until they expire
8.3. Cookies are used to authenticate customers in the online shop, provide them with a customer session (after logging into the customer account), and analyze and generate anonymous statistics.
8.4. Visitors to the Online Shop can turn off the cookies mechanism in their browser in accordance with the manual provided by the browser manufacturer. However, the Data Controller warns that blocking or removing cookies may cause difficulties in using the Online Shop and, in some cases, prevent the use of some of its options.
8.5. The Data Controller can collect the IP addresses of people who visit the Online Shop. The IP address is the number assigned to the visitor’s Computer by the Internet Service Provider. The administrator uses the IP address to diagnose technical problems with the server, create statistical analyses, and for safety reasons and presumptive identification of server-intensive, unwanted automatic programs for browsing the Online Shop.
PASSWORDS MANAGEMENT.
9.1. Data Collector assures safe and encrypted connection while sending personal data and logging into the customer’s account in the Online Shop.
9.2. If a Customer who has an account in the Online Shop has lost his account password, the Online Shop offers an option to generate a new password. The password is stored in encrypted form to prevent unauthorized people from reading it.
9.3. The Data Controller does not send electronic correspondence requesting log in data, in particular an access password to the Customer’s account.
PERIOD OF PERSONAL DATA PROCESSING:
10.1. The period of data processing by the Data Controller depends on the provided service and the purpose of processing. The data processing period may also be due to legal regulations, such as when they are grounds for processing. If the basis of the processing is the justified interest of the Data Controller – e.g., due to safety reasons – data is processed for a period enabling the realization of this interest or until a practical objection regarding data processing is submitted. If data is processed based on approval, data is processed until the approval is revoked. If the basis of processing is its indispensability to enter and fulfill a contract, the data is processed until contract termination.
10.2. Data processing may be extended if necessary to establish or assert claims or defend against claims after this period—insofar as it is required by law. After this period of processing, the data are irrevocably deleted or anonymized.
RIGHTS RELATED TO THE PROCESSING OF PERSONAL DATA:
Subjects of Personal Data have a right to:
11.1. Right to receive information about processing personal data—On this basis, the Data Controller provides to a natural person who requests information about processing data, mainly including information about the purposes and legal grounds of processing, the scope of stored data, the subjects whose data is being disclosed, and the planned date of data erasure.
11.2. Right to obtain a copy of data—On this basis, the Controller provides a copy of processed data concerning a person who submits such a demand.
11.3. right to rectification – The Data Controller must remove any non-compliance or errors in personal data processed and supplement them if they are incomplete.
11.4. Right to erasure—On this basis, you may demand that your data, which processing is no longer necessary to realize any of the purposes for which they were gathered, be removed (erased).
11.5. The right to limit processing—in the event of such a request, the Data Controller ceases to conduct operations on personal data, except for operations agreed to by the Data Subject and their storage, in accordance with accepted retention rules or until causes of data processing restrictions cease (e.g., a decision of supervisory authority enabling further data processing is issued).
11.6. right to transfer your personal information – on this basis – in the scope in which the data is automatically processed in connection with the concluded agreement or given consent – the Data Controller issues data provided by the data subject in a format that allows its reading by the computer. Demanding the transfer of such data to another subject is also possible; however, it is subject to technical possibilities in this scope both on the side of the Controller and the indicated entity.
11.7. Right to object to processing data for marketing purposes—The Data Subject has the right to object at any time to the processing of their personal data for marketing purposes; an objection within this scope does not need to include a justification.
11.8. Right to object to other data processing purposes – a data subject may at any time – on grounds relating to their particular situation – object to processing personal data based on the Controller’s legitimate interest (e.g., for analytical or statistical purposes or given safeguarding of assets); An objection within this scope should include a justification.
11.9. the right to revoke consent – if the data is processed under a granted consent, the data subject is entitled to revoke it at any time, which, however, will not affect the legality of the processing before the revocation of such consent
11.10. The right to file complaints—If you believe that our conduct in processing Personal Data violates GDPR or any other applicable laws, you can complain to the data-processing supervisory authority.
BRINGING DEMANDS RELATED TO THE EXECUTION OF RIGHTS:
12.1. A request about exercising the rights of Data Subjects may be filed:
– in writing to the following address or via e-mail at [email protected] (pt. 3.1.).
12.2. If the Collector is not able to identify the person submitting the proposal based on the submission, he will seek supplementary information from the applicant. Indication of such data is not obligatory; however, failure to indicate them shall result in refusal to realize the given demand.
12.3. Such a request may be made personally or through a proxy (e.g., a family member). For data safety, the Data Controller encourages the use of a notarized proxy statement or an authorized legal counsel or attorney-at-law, which will significantly accelerate verification of the request’s authenticity.
12.4. A reply to a request shall be sent within a month from the date of the receipt.
Where necessary to extend the period, the Data Controller shall advise the applicant of the causes of this action.
12.5. If a request is directed to the Data Controller electronically, a reply is provided in the same form unless the requester asks for a reply in another form. In other cases, the answer is provided by written means. If the deadline for the execution of the request renders it impossible to provide an answer in writing and the scope of the applicant’s data processed by the Controller enables contact by electronic means, the answer shall be provided by electronic means.
12.6 The Data Controller stores information about both the request and the person who made it to guarantee the possibility of proving conformity and to establish, defend, or pursue eventual claims of Data Subjects. The request database is stored in a way that provides integrity and confidentiality of the contained data.
CHANGES IN THE POLICY OF PROCESSING PERSONAL DATA:
13.1. This Policy is reviewed regularly and amended according to the needs.
13.2. The current version of the Policy has been in force since 17.02.2024.