Personal data protection

 

Gconf Comercial Srl shall process personal data in accordance with the laws in force, and in a transparent manner according to the explicitly specified, adequate and relevant purpose but also limited to what is necessary in relation to these purposes, where necessary update the data, in a manner that allows the identification of the subject’s information but only uses it for what is necessary, process it only for the purpose for which it is intended and in an appropriate manner that respects the security of the personal data, protects it against unauthorized or unlawful use or against unforeseen loss, destruction or even damage.

 

Definitions of terms and conditions regarding the protection of personal data

 

  1. “personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity;
  2. “processing” means any operation or set of operations which is performed upon personal data or upon sets of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; regardless of the means by which it is carried out, whether or not by automatic means;
  3. ‘profiling’ means any form of automatic processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular in order to analyse or predict aspects relating to that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, whereabouts or movements
    ‘pseudonymisation’ means the processing of personal data in such a way that they can no longer be attributed to a specific data subject without the use of additional information, provided that this additional information is stored separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
  4. ‘data filing system’ means any structured set of personal data accessible according to specific criteria, whether centralised, decentralised or broken down on a functional or geographical basis;
  5. ‘controller’ means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by Union or national law, the controller or the specific criteria for its designation may be laid down in Union or national law;
  6. “processor” means the natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller;
  7. ‘recipient’ means the natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether or not it is a third party. However, public authorities to which personal data may be disclosed in the framework of a particular inquiry in accordance with Union or national law shall not be regarded as recipients; the processing of such data by those public authorities shall comply with the applicable data protection rules in accordance with the purposes of the processing;
  8. “third party” means a natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and persons who, under the direct authority of the controller or the processor, are authorised to process personal data; “consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which the data subject signifies his or her agreement, in a statement or unequivocal action, to personal data relating to him or her being processed;
  9. ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data transmitted, stored or otherwise processed;
  10. ‘health data’ means personal data relating to the physical or mental health of an individual, including the provision of healthcare services, which reveal information about the state of health of the individual;
  11. ‘principal place of business’ means:
    1. in the case of a controller with establishments in at least two Member States, the place where its central administration in the Union is located, unless decisions on the purposes and means of processing personal data are taken at another establishment of the controller in the Union which is competent to order the implementation of those decisions, in which case the establishment which took those decisions shall be deemed to be the principal establishment;
    2. in the case of a processor with establishments in at least two Member States, the place where its central administration in the Union is located, or, where the processor does not have a central administration in the Union, the establishment in the Union of the processor where the main processing activities take place, in the context of the activities of an establishment of the processor, insofar as the processor is subject to specific obligations under this Regulation;
  12. representative’ means a natural or legal person established in the Union, appointed in writing by the controller or processor pursuant to Article 27, who represents the controller or processor in relation to their respective obligations under this Regulation;
  13. ‘undertaking’ means a natural or legal person engaged in an economic activity, regardless of its legal form, including partnerships or associations regularly engaged in an economic activity;
  14. ‘group of undertakings’ means a controlling undertaking and undertakings controlled by it;
  15. ‘binding corporate rules’ means the personal data protection policies to be complied with by a controller or processor established in the territory of a Member State in relation to transfers or sets of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings or a group of undertakings engaged in a joint economic activity;
  16. ‘supervisory authority’ means an independent public authority established by a Member State;
  17. ‘supervisory authority concerned’ means a supervisory authority which is concerned by the processing of personal data because:
    1. the controller or processor is established in the territory of the Member State of that supervisory authority;
    2. the data subjects residing in the Member State where the supervisory authority is located are significantly affected or likely to be significantly affected by the processing;
    3. or a complaint has been lodged with the supervisory authority concerned;
  18. ‘cross-border processing’ means:
    1. either processing of personal data taking place in the context of the activities of establishments in more than one Member State of a controller or of a processor on the territory of the Union, if the controller or processor has establishments in at least two Member States;
    2. or the processing of personal data taking place in the context of the activities of only one establishment of a controller or processor in the territory of the Union, but which significantly affects or is likely to significantly affect data subjects in at least two Member States;
  19. ‘relevant and reasoned objection’ means an objection to a draft decision for the purpose of establishing whether there is an infringement of this Regulation or whether the measures envisaged in relation to the controller or processor comply with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision to the fundamental rights and freedoms of data subjects and, where applicable, to the free movement of personal data within the Union;
  20. ‘international organisation’ means an organisation and its subordinate bodies governed by public international law or any other body which is established by or under an agreement concluded between two or more countries.Principles relating to the processing of personal data
    Personal data must be:
  21. Processed lawfully, fairly and transparently in relation to the data subject (“lawfulness, fairness and transparency”);
  22. collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; further processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes shall not be considered incompatible with the original purposes,
  23. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
  24. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”); Directive of the European Parliament and of the Council of Europe 2015/1535.
  25. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed; personal data may be stored for longer periods in so far as they will be processed solely for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes in accordance with Article 89(1), subject to the implementation of appropriate technical and organisational measures provided for in this Regulation to safeguard the rights and freedoms of the data subject (“storage restrictions”);
  26. processed in a way that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, by taking appropriate technical or organisational measures (‘integrity and confidentiality’).

 

Rights and obligations of the buyer and seller

 

  • The Buyer is obliged to provide only true, current and accurate information when purchasing products and/or creating a user account. The registered customer is obliged to inform the seller immediately if there is a change in this personal information.
  • The parties agree that, if the buyer is a natural person, the buyer is obliged to provide his/her first and last name, home address, including postcode, telephone number and email address in the order.
  • The parties agree that, if he is a legal person, the buyer is obliged to indicate in the order the company name, registered office, including postcode, registration number, telephone number and email address.
  • Personal data entered by the buyer during registration of the user account on the website are protected by Law No. 122/2013 on the Protection of Personal Data and Amendment of Certain Laws and are processed by the seller only for order fulfillment and marketing purposes.
  • The buyer can check and change the personal data provided at any time, he can also cancel the account after logging in to the website in the section My account – Your address or Your personal data.
  • In order to provide the online shopping service (e-shop), the seller needs to know some personal information of the buyer. The seller respects the buyer’s privacy and therefore attempts to request this information only as much as necessary but it is also protected against misuse. The processing of personal data by the seller is fully subject to the legal rules of privacy law.
  • Details of purchases, complaints and other activities of the buyer within our online shop are also confidential and subject to the same security rules as the use of personal data. Any information obtained about the buyer and his/her purchases is protected against misuse and is not given to any third party (except to companies that provide transportation or payment for goods, and who obtain only the minimum customer information necessary for successful delivery). All this data is necessary for the quality of the seller’s services.
  • The buyer, by ticking the box before registering the order, can express his/her consent for the seller to process and store personal information, in particular those mentioned above and/or which are necessary for the seller’s activity to send information about new products, discounts and to process them in its system.
  • The Buyer consents as per the above section of these terms and conditions for a defined period of time. After the initial processing purpose has been fulfilled, the seller will secure the buyer’s personal data. The Buyer may withdraw his consent to the processing of personal data at any time in writing, which consent shall terminate one month after the withdrawal.
  • The seller declares that for purposes other than those mentioned above, it will collect personal data only with the buyer’s consent and at the same time ensures that the data will be processed and used only in a manner appropriate to the purpose for which it was collected.
  • When creating a user account, the buyer agrees that the seller may use his/her name and email address to send information about discounts, news and other marketing activities. Each of these emails contains instructions on how the customer can easily opt-out of receiving them later.
  • The buyer has the right to notify in writing changes or additions to personal data, as well as a request for deletion of personal data provided to the seller.
  • By using the Seller’s online shop, the Buyer agrees to the collection and use of his/her personal data in accordance with the privacy policy and rules mentioned above.