1. General provisions
1.4. The Controller observes the principles relating to personal data processing provided in legislation and inter alia processes personal data in a lawful, fair and secure manner. The Controller is able to verify that personal data has been processed in accordance with the provisions of legislation.
2. Collection, processing and storage of personal data
2.1. The personal data collected, processed and stored by the Controller has been collected electronically, mainly via the website and e-mail.
2.4. The Controller is not liable for any damage or loss caused to the data subject or a third party as a result of submission of false data by the data subject.
3. Processing of personal data of customers
3.1. The Controller may process the following personal data of the data subject:
3.1.1. first name and surname;
3.1.2. telephone number;
3.1.3. e-mail address;
3.1.4. delivery address;
3.1.5. bank account number;
3.1.6. payment card details;
3.1.7. company name;
3.1.8. company VAT identifier;
3.1.9. company address.
3.2. In addition to the aforesaid, the Controller has the right to collect data about the customer that is available in public registers.
3.3. The legal basis for processing personal data is Article 6(1)(a), (b), (c) and (f) of the General Data Protection Regulation:
a) the data subject has given consent to the processing of their personal data for one or more specific purposes;
b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
c) processing is necessary for compliance with a legal obligation to which the controller is subject;
f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
3.4. Processing of personal data based on the purposes of processing:
3.4.1. Purpose of processing – safety and security Maximum term of retention of personal data – pursuant to the terms provided in legislation
3.4.2. Purpose of processing – processing of an order Maximum period of retention of personal data – 3 years
3.4.3. Purpose of processing – ensuring the functioning of the services of the online store Maximum period of retention of personal data – 3 years
3.4.4. Purpose of processing – customer administration Maximum period of retention of personal data – 3 years
3.4.5. Purpose of processing – financial activities and accounting Maximum term of retention of personal data – pursuant to the terms provided in legislation
3.4.6. Purpose of processing – marketing Maximum period of retention of personal data – 3 years 3.5. The Controller has the right to share the personal data of customers with third parties, such as processors, accountants, transport and courier companies, and companies providing transfer services. The Controller is the controller of personal data. The Controller shall submit the personal data required for making payments to the processor Montonio Finance OÜ.
3.6. When processing and storing the personal data of a data subject, the Controller shall take organisational and technical measures to ensure the protection of personal data against accidental or unlawful destruction, alteration, disclosure and any other unlawful processing.
3.7. The Controller shall retain the data of data subjects based on the purpose of the processing, but no longer than 3 years.
4. Rights of data subject
4.1. The data subject has the right to gain access to and examine their personal data.
4.2. The data subject has the right to obtain information on the processing of their personal data.
4.3. The data subject has the right to modify or rectify inaccurate data.
4.4. If the Controller is processing the personal data of the data subject on the basis of the consent of the data subject, the data subject has the right to withdraw their consent at any time.
4.5. The data subject is able to address the customer support of the online store at the address firstname.lastname@example.org in order to exercise their rights.
4.6. The data subject has the right to lodge a complaint with the Data Protection Inspectorate to protect their rights.
5. Final provisions
5.1. These data protection terms have been prepared in compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), the Personal Data Protection Act of the Republic of Estonia, and legislation of the European Union. 5.2. The Controller has the right to partially or fully amend the data protection terms by informing the data subjects of any amendments via the website www.gup-tuning.ee