PRIVACY POLICY
1. General Provisions
1.1. This Privacy Policy regulates the principles governing the collection, processing, and storage of personal data. Personal data is collected and stored by Controller of personal data Eesti Pandipakend OÜ (hereinafter Data Processor).
1.2. For the purposes of the Privacy Policy, a data subject is a customer or other natural person whose personal data is processed by the Data Processor.
1.3. For the purposes of this Privacy Policy, a customer is anyone who buys or leases goods or services from the Data Processor's website.
1.4. The Data Processor adheres to the principles of data processing provided for by legislation, among other things, the Data Processor processes personal data legally, fairly, and securely. The Data Processor can confirm that personal data has been processed in adherence to legislative provisions.
2. Collecting, processing, and storing of personal data
2.1. Personal data collected, processed, and stored by the Data Processor is collected electronically, mainly via relevant website and e-mail.
2.2. By sharing their personal data, the data subject grants the Data Processor the right to collect, organize, use, and manage such personal data for the purposes defined in the Privacy Policy which the data subject shares directly or indirectly with the Data Processor when purchasing or leasing goods or services on the website.
2.3. The data subject is responsible for ensuring that the data provided by them is accurate, correct, and complete. Knowingly submitting false information is considered a violation of the Privacy Policy. The data subject is obligated to immediately notify the Data Processor of any changes in the submitted data.
2.4. The Data Processor is not liable for any damage caused to the data subject or to third parties by submission of false information by the data subject.
3. Processing of customers’ personal data
3.1. The Data Processor may process the following personal data of the data subject:
3.1.1. forename and surname;
3.1.2. date of birth;
3.1.3. personal identification code;
3.1.4. telephone number;
3.1.5. e-mail address;
3.1.6. delivery address;
3.1.7. bank account number;
3.1.8. payment card details.
3.2. In addition to above, the Data Processor has the right to collect data about the customer that is available in public registers.
3.3. The legal basis for processing of personal data is Article 6 (1) a), b), c), and f) of the General Data Protection Regulation:
a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
c) processing is necessary for compliance with a legal obligation to which the controller is subject;
f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
3.4. Processing of personal data in adherence to the purpose of the processing:
3.4.1. Purpose of processing – security and safety
Maximum period storing of personal data – in adherence to terms prescribed by law
3.4.2. Purpose of processing – processing of orders
Maximum period storing of personal data – until closing of relevant user account
3.4.3. Purpose of processing – ensuring functionality of online store services
Maximum period storing of personal data – until closing of relevant user account
3.4.4. Purpose of processing – account management
Maximum period storing of personal data – until closing of relevant user account
3.4.5. Purpose of processing – financial activities, accounting
Maximum period storing of personal data – in adherence to terms prescribed by law
3.4.6. Purpose of processing – marketing
Maximum period storing of personal data – until closing of relevant user account
3.5. The Data Processor has the right to share the personal data of customers with third parties such as authorized data processors, accountants, transportation and courier companies, companies providing transmission services. The Data Processor is the controller of personal data. The Data Processor forwards personal data required for making of payments to the processor Maksekeskus AS.
3.6. Upon processing and storing of personal data of the data subject, the Data Processor implements organizational and technical measures to ensure protection of personal data against accidental or unlawful destruction, alteration, disclosure, and any other unlawful processing.
3.7. The Data Processor stores the data of data subjects as depending on the purpose of the processing, but not longer than for 1 year after closing of relevant user account.
4. Rights of data subject
4.1. The data subject has the right to access and review their personal data.
4.2. The data subject has the right to obtain information regarding processing of their personal data.
4.3. The data subject has the right to supplement or correct inaccurate data.
4.4. If the Data Processor processes the personal data of the data subject on the basis of the data subject's consent, the data subject has the right to withdraw their consent at any time.
4.5. To exercise their rights, the data subject may contact relevant online store’s customer support at https://panditops.ee/.
4.6. In order to protect their rights, the data subject may submit a complaint to the Republic of Estonia Data Protection Inspectorate.
5. Final provisions
5.1. These data protection terms and conditions were prepared in line with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), the Republic of Estonia Personal Data Protection Act, and legislation of the Republic of Estonia and the European Union.
5.2. The Data Processor has the right to amend the data protection terms and conditions in part or in full by notifying the data subjects of the changes via the website https: /www.panditops.ee/.