Tietosuojakäytäntö
1. INTRODUCTION AND SUMMARY OF YOUR RIGHTS
Are you interested in our website for trading in wall art? Through the website you as a photographer and artist can upload wall art to an on-line based gallery and you as a customer shop for wall art. To use the website, we need to collect and process personal data from you. You are not obliged to provide us with personal data, but without this, we cannot offer you to use our website. The terms of use signed with you as photographers and artists describe our processing of your personal data in more detail. For those of you who shop for wall art through the website, your personal data needs to be processed mainly in order to;
- create and maintain your account;
- manage and deliver your order,
- provide offers and inspiration to you (through newsletters, sms and targeted personalised marketing in social media);
- communicate with you (e.g. answer your questions and ask you questions) and,
- comply with laws and regulations and communicate with authorities.
Printler Group AB, org. No. 559114-9173, with address Rökerigatan 22, 121 62 Johanneshov is the data controller for the processing of personal data described in this policy. This means that Printler is responsible for ensuring that the personal data is processed correctly and in accordance with applicable data protection legislation. You have the right to know what personal data we process about you. You also have the right to request that incorrect or incomplete personal data be corrected or that we delete this personal data (e.g. if the personal data is no longer necessary for the purpose or if a consent has been revoked). Furthermore, you have the right to object to certain processing of personal data and to request that the processing of personal data be restricted. Finally, you have the right to obtain such personal data that you provided in a machine-readable format and to transfer it to another data controller.
If you have any comments on how we process personal data, you have the right to contact or file a complaint with the Integrity Protection Authority (Sw: Integritetsskyddsmyndigheten) (imy@imy.se or 08-657 61 00), which is the supervisory authority for our personal data processing.
If you have any questions or complaints about how we process personal data or requests for the exercise of rights as described above, please contact us by email at info@printler.com or by regular mail to the address above.
You have several rights under the General Data Protection Act. Below you can read more about our processing of your personal data and what rights you have.
2. BACKGROUND AND SCOPE
The General Data Protection Regulation (“GDPR”) provides protection for you when we process your personal data.
If a processing of personal data would be contrary to the provisions of the General Data Protection Regulation, there is a risk of invasion of privacy for you and, as a consequence, the risk of damage to printler's reputation follows. Furthermore, Printler may be liable to pay damages or be subject to a significant fine. In order to avoid such consequences, everyone in Printler's organization is obliged to follow these guidelines. The guidelines therefore serve both as an internal control document and as an information document for you. Our hope is that once you have reviewed the policy, you will feel safe with our management.
3. WHAT BASIC PRINCIPLES SHOULD WE OBSERVE?
The basic principles described below should always be observed when processing your personal data. Printler is responsible for and should be able to demonstrate compliance with the principles.
Legality, fairness, transparency – Personal data shall be processed legally, accurately and transparently in relation to you. This means that each type of processing should be based on a valid so-called legal basis, such as the performance of contracts, the fulfilment of a legal obligation, the performance of a task of general interest, legitimate interest or consent (see section 5 below). Thus, if no legal basis applicable to the processing is identified, the processing may not be carried out. The starting point for this principle is clear communication with you about, among other things, the purposes for which the personal data is processed, what type of processing is carried out, whether and how the personal data is shared with others, how long the personal data is stored and how to get in touch with Printler. The data subjects must therefore be provided with clear and transparent information on the processing of their personal data.
Purpose limitation – Personal data may only be collected and otherwise processed for specific, explicit and legitimate purposes and may not subsequently be processed in a manner incompatible with those purposes.
Data minimisation – Personal data processed shall be adequate, relevant and not excessive in relation to the purposes. Make sure that the data collected is really needed and don't ask for information just because it might be useful to have.
Accuracy – personal data processed must be accurate and, if necessary, up to date. Take appropriate measures to ensure that incorrect or incomplete information is corrected, such as procedures for changing address when moving with a compilation of systems and registers where the address is stored. However, avoid storing copies of the data in many systems in order to avoid sources of error and non-up-to-date information.
Storage restriction – Personal data may not be stored for longer than necessary with regard to the purposes of the processing. When the data is no longer needed, it must be deleted, which means that it must either be deleted or de-identified.
The principle of accountability means that Printler must be able to demonstrate compliance with GDPR. Printler must therefore, for example, document implemented and planned processes and measures related to data protection issues.
Furthermore, there shall be a record of all types of processing of personal data carried out and Printler shall be able to present such a register to the supervisory authority where necessary.
4. WHAT IS MEANT BY THE TERM PERSONAL DATA?
Personal data is any data relating to an identified or identifiable natural person that can directly or indirectly identify a person. Examples of personal data are names, contact details, location data or factors specific to a person's physical, economic, cultural or social identity. Data that individually does not meet the requirements may together constitute personal data.
All processing of personal data is subject to GDPR and its rules. Processing means an action or combination of personal data actions, carried out in whole or in part automated. Personal data in e-mails and in documents on servers, in a simple list, on websites and in other unstructured material are also covered.
The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership and the processing of genetic data, biometric data, health data or data relating to a person's sexual life or sexual orientation (so-called special categories of personal data)is, as a general rule, prohibited. In order for such processing to be permitted, a valid exemption from the prohibition is required. The most common exceptions are that you have given consent or published the data yourself, in order to exercise rights or fulfil obligations in the field of labour law, in order to be able to establish, enforce or defend legal claims or for health purposes.
The processing of social security numbers may only be carried out if it is clearly justified by the purpose of the processing, the importance of a secure identification or any other noteworthy reason.
Printler shall keep a record of processing personal data.
5. WHO CAN GET ACCESS TO YOUR PERSONAL DATA?
Your personal data is processed mainly by us at Printler. We will never sell your personal data. In some cases, we share your personal data in order to fulfil our obligations to you in a good and effective manner:
- To ensure that you pay us, our payment solution providers will have access to your personaldata.
- In order for us to be able to deliver your products to your home address or delivery point and to handle returns, we will share your personal data with shipping companies.
- In order to obtain and publish your possible reviews on our website, we share your personal data with the supplier who provides us with technical solutions to collect and publish the reviews.
- In order to promote our products and to make the Website as relevant as possible, we share your personal data with those who provide us with marketing services. For example, Google and Facebook.
- We will share your personal data with suppliers who process the personal data on behalf of us as assistants to help us with e.g. IT and marketing services.
- In order to print and send out your goods, we need to share your personal data with our printing service.
6. DOES PRINTLER USE DATA PROTECTION OFFICER?
Article 37 of GDPR provides for the appointment of a Data Protection Officer if the processing of personal data is carried out by an authority or the core business of the controller or processor consists in the processing of personal data.
In the light of Article 37 of the General Data Protection Regulation, Printler will not appoint a Data Protection Officer.
7. WHEN IS IT LAWFUL TO PROCESS PERSONAL DATA?
The processing of personal data is only lawful if and to the extent that any of the following grounds applies.
You have given your consent to the personal data being processed for one or more specific purposes. There are specific requirements that must be met for the consent to be valid.
The processing is necessary to perform a contract to which You are a party or to take action at your request prior to the conclusion of such agreement.
The processing is necessary to fulfil a legal obligation incumbent on Printler. For example, control data submitted to the Swedish Tax Agency can be mentioned.
The processing is necessary to protect interests that are of fundamental importance to you or to another natural person (e.g. when there is a danger to life).
Processing is necessary for the performance of a task of general interest (e.g. as a public defender) or as part of the exercise of public authority (e.g. as notary public).
The processing is necessary for the purposes of the interests of Printler or third parties, unless your interests or fundamental rights and freedoms are more important and require the protection of personal data, (balancing interests). When balancing interests, there are specific requirements for documentation relating to the assessment made.
8. HOW DO WE VIEW THE PROCESSING OF YOUR PERSONAL DATA?
Pre-purchase processing
In order for us to communicate with you, to store goods in your shopping cart of your choice, and to receive feedback from you, we must process your personal data. If you do not provide us with your personal data for these purposes, we will not be able to provide you with the service or answer your questions.
What personal data is processed?
- Information about your shopping bag and the email address you gave us when you started your purchase.
- Your name and contact information and any other information you send us.
For what purposes is the personal data processed?
- To save your abandoned shopping cart and remind yourself of the product(s) you have left in the shopping cart if you have started a purchase by entering your email address.
- To answer your questions.
What legal basis is the processing based in and how long is the data stored?
- Our legitimate interest in making it as easy as possible for you to buy the product you have shown interest in by adding it to your shopping cart. We will keep your data in until you choose to empty the basket or delete the contents of it.
- Processing is necessary for the preparation and execution of our contract with you. We store the data for three (3) years or as long as required by applicable legislation.
Processing in the execution of purchases
In order for us to make your purchase, such as delivering the product, we need to process your personal data. We also need to process your personal data in order to comply with legal statutes or other requirements, such as the accounting law's requirements to save data and consumer protection laws. If you do not provide us with personal data for these purposes, we will not be able to make your purchase with us.
Please note that our payment solution providers also process your personal data in order to administer the payment for your order. Our payment solution providers are independently responsible for such processing. Therefore, always check how the supplier of your payment solution processes your personal data.
What personal data is processed?
- Your name, contact details such as email address and shipping address, order information, selected payment method and IP address.
- Your name, phone number, email address, address, and information about your purchase, such as your payment method. We also store the information you provided when you use your right of withdrawal, exchange or advertise a product.
- Information on your invoice such as purchase history, name and contact information.
For what purposes is the personal data processed?
- To administer your purchase, i.e. to know who we enter into a contract with, to confirm your purchase, to deliver your purchase and communicate with you regarding your delivery and to gather information about your experience.
- To administer your right of withdrawal or change of goods and to be able to comply with consumer protection and contract law rules (complaints, disputes, etc.m.) and answer your questions.
- To comply with laws, such as the Accounting Act.
What legal basis is the processing based on and how long is the data stored for that specific purpose?
- Processing is necessary for the performance of our contract with you. We save your data for five (5) years from the order placed.
- Processing is necessary for the preparation and performance of our agreement with you and for us to handle any disputes and comply with relevant consumer protection laws. We save your information from when you make your purchase and five years thereafter. If you choose to use any of your rights we will store your personal data until we have made a decision regarding the right of withdrawal or the exchange of a product and completed any refund or sent the new product to you.
- The processing is necessary in order for us to comply with the relevant legislation. We store your data for as long as necessary in accordance with the respective legislation.
Handling customer relations and customer accounts
In order to manage our contractual relations and your specific customer account, we process your personal data.
What personal data is processed?
- Your name, social security number, e-mail address, mobile phone number, cookies and IP address, username and delivery address.
For what purposes is the personal data processed?
- To manage your customer account that you have created. This includes sending you updated information about your account and our privacy policy. It also includes processing to take security measures regarding your account.
What legal basis is the processing based on and how long is the data stored for that specific purpose?
- Processing is necessary for the performance of the contract, to provide you with an account when you have decided to have an account. Processing to send you updates to our Privacy Policy is necessary to comply with laws and regulations. We store your personal data from when you make a purchase and five (5) years from your last login or until you ask us to delete your account.
Treatment to communicate news, inspiration and relevant offers to you.
What personal data is processed?
- Your email address and purchase history.
- Your e-mail address, cookies and IP address.
- Your name and the information you have provided in your review.
For what purposes is the personal data processed?
- To send you newsletters and relevant offers and to send you marketing.
- To do targeted marketing against you on social media and at third party sites.
- To publish a review that you have chosen to write to make the customer experience transparent to our visitors and to promote our brand to potential customers.
What legal basis is the processing based on and how long is the data stored for that specific purpose?
- Once you have made a purchase, we process your personal data based on our legitimate interest in sending relevant direct marketing. We will only do this if you do not object to your data being used in this way. We will keep the data for two years from your last purchase unless you request that the mailings be discontinued before that date.
-
Our legitimate interest is to use your personal information for direct marketing and to make our marketing more relevant to you.
-
We only do this if you have made a purchase from us and have not objected to receiving marketing.
-
Your personal data will be processed from once you have completed your purchase for two (2) years unless you object to our marketing prior.
- Our legitimate interest is to publish the review you have written and shared on a review platform. We'll store the data until you remove the review from the review platform.
9. ABOUT OUR BALANCE OF INTERESTS
For certain purposes, Printler processes your personal data and relies on our legitimate interest as a legal basis for the processing. When assessing the legal basis, we rely on a balance of interests test through which we have determined that our legitimate interests in the processing outweigh your interest and your fundamental right not to have your personal data processed. We have indicated our legitimate interest in the tables above. Please contact us if you would like to read more about how we have done this test. Our contact details are listed below in this policy.
10. HOW DO WE HANDLE COOKIES?
The website contains cookies. For more information, see our Cookie Policy
11. SECURITY MEASURES, PERMISSION CONTROL, ACCESS AND DELETION
Personal data shall be processed in such a way as to ensure appropriate security of personal data using technical and organisational measures. Organizational security measures may involve the use of authentication of the systems that contain personal data, logging of access to personal data or keeping computers and the like containing personal data in such a way that unauthorized access is made more difficult and not provided. Examples of technical measures that need to be checked are whether Printler has adequate back-up procedures, adequate firewalls, password-protected wireless networks, updated virus protection, password protection for mobile devices such as mobile phones and tablets, protection against unauthorized internal access, password requirements, encryption if necessary, logging, accessto and use of IT systems, etc.m.
Personal data may not be retained for longer than is necessary for the purpose of the processing. By establishing and following a thinning routine for each database/treatment, the structured thinning work is ensured. Also personal data in so-called unstructured material such as in documents on servers, in a simple list, on websites, etc. need to be deleted when the purpose of the processing is fulfilled.
12. TRANSFER TO THIRD COUNTRIES
For the transfer of personal data to countries outside the EU and the EEA (so-called third country transfer), special rules apply. GDPR means that all EU Member States and EEA countries have equivalent protection of personal data and privacy and therefore personal data can be transferred freely in that area without restrictions. On the other hand, for countries outside that area, there are no general rules providing equivalent guarantees and therefore third-country transfers may only take place under specific conditions. This concerns any form of cross-border transfer of information, such as many online IT services, cloud-based services, external access services, or global databases, etc. and a need for a particular analyse is therefore needed.
Third country transfers will not occur in respect of your personal data.
13. RISK ASSESSMENT
Printler has a special routine in place to be able to identify and manage specific privacy risks within the business and for structured follow-up. Particular risks to the rights and freedoms of natural persons may, for example, occur in connection with a particular type of processing of data, in particular sensitive data, processing to a particularly large extent, the use of new technologies or the like.
If a new or amended personal data processing is likely to present a high risk to the rights and freedoms of natural persons, the procedure shall be followed and the effects of the intended processing for the protection of personal data intended to be assessed before the commencement of the processing. Before starting such personal data processing, Printler's CEO is contacted for investigation if an impact assessment is required and, if necessary, impact assessment is carried out together with those responsible through work meetings.
14. EXTRACTS FROM REGISTERS AND DISCLOSURE
GDPR gives data subjects a number of rights in relation to the processing of personal data. It is Printler's job to comply with these rights and to ensure that sufficient processes exist to satisfy the data subjects.
You have the right to information when the personal data is collected. This information shall be provided in an easily accessible written form in clear and clear language. GDPR provides for a number of clear requirements that must be met and the requirements vary depending on whether the information has been collected from yourself or from third parties.
You have the right to receive confirmation of whether personal data belonging to you is being processed, and in such cases receive a copy of the personal data(register extract). This right applies irrespective of the place where the personal data are processed.
If the personal data processed is inaccurate or incomplete, you can require correction. If you show that the purpose for which the personal data is processed is no longer permitted, necessary or reasonable in the circumstances, the personal data in question shall be deleted, unless there are any legal provisions that specify otherwise.
You have the right to transfer personal data that you provided to Printler to another data controller (right to data portability)if the processing is supported on the legal grounds agreement or consent. Personal data shall be provided to you in a structured, commonly used and machine-readable format. If technically possible, you can request that the data be transferred directly to another data controller. The right applies only to the personal data that you have provided to Printler.
In some cases, you have the right to require Printler to restrict the processing of your personal data, i.e. limit the processing to certain defined purposes. The right to restriction applies, among other things, when you believe that the data is incorrect and have requested that the personal data be corrected. You can then request that the processing of the personal data be restricted while the accuracy of the data is being investigated. When the restriction ends, the individual shall be informed thereof.
You have the right to object to the processing of personal data supported on a legitimate interest as a legal basis. In the event of an objection, Printler shall cease processing unless it is able to demonstrate compelling legitimate grounds for the processing that outweigh your interests, rights and freedoms or if the processing of personal data is carried out for the establishment, exercise or defence of legal claims.
In some cases, you have the right to request the deletion of your personal data ("the right to be forgotten"). An example is when consent is the legal basis for the processing and you withdraw your consent.
When personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data about the person about the personal data. If a data subject objects to the processing of personal data for direct market purposes, processing for such purposes shall cease.
15. PERSONAL DATA INCIDENTS AND QUESTIONS
A personal data breach is a security incident that results in accidental or unlawful destruction, loss, alteration or unauthorized access to personal data. Examples of personal data breaches include theft of customer records, unintentional disclosure of payroll information by e-mail to the wrong recipient, an employee bringing home an unencrypted work computer that is later stolen in a burglary and which leads to disclosure of information about employees or customers, personal data being published on the web by mistake, a laptop containing personal data being lost or stolen etc.
Personal data breaches may need to be reported to the supervisory authority within 72 hours of the discovery of the incident if there is a likelihood of the rights and freedoms of natural persons. Incidents have been documented and the relevant data subjects may need to be notified.
In the event of a suspected personal data breach or questions related to the processing of personal data, the CEO is always contacted on info@printler.com .
16. MISCELLANEOUS
For definitions of terms used in this Policy, please refer to the General Data Protection Regulation.
17. REVIEW AND ADOPTION
These guidelines have been adopted on 3 February 2021 and shall be revised annually or where circumstances so call for.