With the following personal data protection policy we provide information on the type of personal data collected, for what purposes and how we use it, who we are and what your rights are. The aim of this letter is to provide information referred to in Art. 13 section 1 and 2 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as GDPR that will apply from 25 May 2018.
Information given below is highly important, therefore please read the content very carefully.
Who is the Administrator of your personal data?
The Administrator, i.e. the entity that decides how you personal data will be used, is Elitfönster AB, Box 153, 574 22 Vetlanda, org.nr 556007-3073 (hereinafter referred to as “Us”)
You can contact us via:
Data Protection Officer
We have appointed a Data Protection Officer to whom you can address any question or request in all matters concerning personal data. You can do it:
Details on the use and protection of your data, your rights and conditions for using it can be found at https://www.elitfonster.se/integritetspolicy/
What is the purpose and on what basis we use your personal data?
We use your personal data obtained during the conclusion of the contract and during its term for the following purposes:
achieving goals based on your consent - (legal basis: Art. 6 section 1 a) GDPR e.g.:
using newsletter services,
providing information on products and services and about promotions being carried out,
events or actions that we organize, e.g. via traditional mail, emails, newsletter, telephone contact, text messages,
concluding and executing a contract between us and you - (legal basis: Art. 6 section. 1 b) GDPR e.g.:
as part of the purchase – sale, including transactions in the online store,
ensuring correct quality of services,
handling requests sent to us (e.g. via a contact form),
handling your requests and questions that are directed to us in connection with the implementation,
fulfilling the obligation required to comply with the legal obligation incumbent on the administrator – (legal basis: Art. 6 section 1 c) GDPR e.g.:
transferring data at the request of the court or police,
implementing our so-called legitimate interests – (legal basis: Art. 6 section. 1 f) GDPR e.g.:
providing payment services,
handling requests and questions that are directed to us in connection with the execution of the contract,
debt collection: carrying out court, arbitration and mediation proceedings,
storage of data for archival purposes (fulfilling our obligations provided for in applicable laws),
detecting and preventing misuses,
verifying payment credibility.
Is the provision of personal data necessary?
The provision of personal data by you is completely voluntary. We require you to provide us with data necessary to enter into and execute the contract in connection with each transaction. Unfortunately, if you fail to provide us with the necessary personal data, we will not be able to conclude the contract with you and, as a consequence, start the cooperation. If, for example, tax regulations require us to provide other necessary data, we must do so in order to establish or maintain cooperation. Providing personal data for direct marketing purposes is voluntarily – in particular, it does not condition the conclusion and execution of the contract.
To whom we can transfer your data?
The Company can share your personal data to:
our employees and associates who must have access to data in order to fulfil our obligations;
entities processing data on our behalf, participating in the execution of our activities:
our agents, advertising agencies and other entities assisting in the sale of our services or organization of marketing campaigns,
operators of our ICT systems or providing us with ICT tools,
subcontractors who support us in the execution of the contract between us and you, e.g. in handling correspondence or in the customer service process,
entities providing us with advisory, consulting, auditing, legal, tax and accounting services.
other data administrators that process data on their own behalf:
our agents, advertising agencies and entities cooperating in the organization of marketing campaigns or customer service – in order to settle their due remuneration,
entities providing postal or courier services,
entities purchasing receivables – in case you fail to pay invoices issued by us within the specified deadline,
payment service providers (banks, payment institutions) – to make refunds to you, for or in order to ensure the correct operation of the direct debit service,
entities cooperating with us when handling accounting, tax and legal issues – to the extent to which they become data administrators.
state authorities, e.g. courts, prosecutor’s office, tax authorities.
Will your data go outside the European Economic Area (EEA)?
We do not currently plan to transfer your data outside the EEA.
How long can we store your data?
If we use your data on the basis of your consent, we use this personal data until you revoke your consent and resign from the goals achieved through it.
In transactions related to the execution of the contract during the period of the execution of transactions and the time in which it is possible to claim compensations in connection with the execution of the contract concluded as a result of the transaction, a maximum of 3.5 years from the date of these transactions or until the time of validation.
In connection with the implementation of the law, your personal data will be stored for periods specified in the law, e.g. tax regulations.
We will store your personal data for as long as we may suffer the legal consequences of the failure to fulfil the obligation, e.g. receiving a financial penalty from the state authorities.
What is the automatic decision making?
We can use your data for profiling purposes based on your consent. However, the decision making will not be made automatically and will not have any legal effect on you or have any similar effect on your situation.
Personal data profiling consists in the processing of your data (also in an automated form) by using it to evaluate certain information about you, in particular to analyse or forecast your personal preferences and interests.
What are your rights?
You have the following rights in connection with our processing of your data:
the right to access your personal data, including the right to information about your personal data and to obtain a copy of your personal data,
the right to rectify your personal data if it is incorrect and the right to supplement incomplete data,
the right to remove your personal data,
the right to limit the processing of your personal data,
the right to transfer your personal data,
the right to lodge a complaint with the personal data protection authority, i.e Datainspektionen, Box 8114, 104 20 Stockholm, (email@example.com) in case of illegal processing of your personal data,
the right to revoke at any time any consent without giving reasons and without affecting the processing which has been made on the basis of consent before its revocation,
the right to object to:
our processing of your personal data for marketing purposes, including the so called profiling (i.e. the objection to providing you with information about our promotions, offers, products, including services, actions and events, including special offers), and after submitting such an objection we will not be allowed to process your data for marketing purposes;
our processing of your personal data for the purposes arising from the so- called legitimate interests that we realize – for reasons related to your particular situation.
You can exercise your rights listed in point 1 at any time by making an appropriate request.
You can make requests described in point 1 to our Data Protection Officer in accordance with the contact details provided.
We are obliged to inform you about the actions taken in connection with requests referred to in point 1, without undue delay, and in any case within one month of receiving your request. If necessary, the deadline referred to above can be extended by another two months due to the complexity of the request or the number of requests. However, within one month of receiving your request, we must inform you about the extension of the deadline and the reasons for it.
If we do not take action in connection with your requests referred to in point 1, we will inform you immediately, no later than one month after receiving the request, about the reasons for not taking action and the possibility of lodging a complaint with the President of the Office for Data Protection and using legal protection measures in the court proceedings.
If we have reasonable doubts about your identity in connection with the request, we may ask you for additional information necessary to confirm it.
We will provide you with the information referred to in point 4 – 6 above, in writing and way we choose:
via registered letter to the postal address that you provided, or
via electronic means to the email address that you provided, except if:
you send us your request electronically and do not request information in any other form – then we will send information to the email address that you provided;
you request providing information orally and we confirm your identity by other means – then we will give you information orally.
Any communication and actions taken by us in connection with your requests referred to in point 1 above are free of charge. However, if your requests are clearly unjustified or excessive, e.g. due to the continuing nature, we will be able to:
charge a fee, including administrative costs of providing information, communication or taking the action requested, or
refuse to take action in connection with the request.
Each recipient to whom we have disclosed your personal data will be informed about a request to rectify, supplement, remove or limit the processing of your personal data, which we have made as a result of the request presented to us. We will not have to provide such information only when it is impossible (e.g. the Company has been liquidated) or if it requires disproportionately large effort (data was disclosed many years ago and despite the attempts taken it was not possible to contact the recipient).
At your request, we will inform you about the recipients to whom we have provided information about the rectification, removal or limitation of your personal data processing as well as about the recipients we have not been able to notify.