Estelė, UAB ensures that Personal Data is processed in a legal, fair and transparent manner, used only for the purposes established and expressly defined in the present Policy and is not subject to further processing in any manner that is incompatible with such purposes.
Estelė, UAB uses organisational and technical means to ensure proper storage of Personal Data, including protection against unauthorised processing, illegal processing and accidental loss, destruction or damage.
Website – the website https://www.estele.eu/ where clients of Estelė, UAB can submit orders, leave queries, give consent to process their Personal Data for direct marketing purposes.
Data Subject – a client or visitor of the Website whose data is processed by the Data Controller for the purposes of e-commerce, direct marketing, query management and loyalty program.
Data Processor – a natural or legal person acting within the powers granted by the Data Controller and assisting the Data Controller in the meeting the set objectives.
Personal Data – the data of a natural person processed by the Data Controller that can identify the client or the visitor of the Website, including but not limited to: name, surname, e-mail address, phone number, etc.
Data Processing – any activity involving Personal Data: collection, recording, accumulation, storage, alteration (addition or correction), provision, use, deletion or other any other action or a set thereof.
Direct Marketing– activities designed to offer special promotions and/or ask opinion about the offering of products or services via mail, phone or any other direct communication method.
E-commerce – the online buying and selling of products or services.
Consent – the voluntary act of the Data Subject whereby he/she consents with the processing of Personal Data.
Supervisory Authority – State Data Protection Inspectorate.
The Policy lays down the main provisions governing the collection, accumulation and processing of Personal Data.
PROCEDURE FOR THE COLLECTION, STORAGE AND USE OF PERSONAL DATA
The Data Subject consents to the use of the following Personal Data by the Data Controller for the purpose of e-commerce:
Online shop user name and password,
Product/service payment data (bank account No., payment method, etc.)
Purchase history (products/services purchased, price, etc.).
The Personal Data received for those purposes shall be stored for 5 (five) calendar years from the date of last access to online shop user account by the client.
The Data Subject is notified that the following data processors (courier service companies) shall be involved for such purposes:
Venipak LT, UAB, legal entity code: 3000906055, domicile: 33C, Tuskulėnų g. , Vilnius, LT- 09219;
The Data Subject agrees that when queries are submitted via e-mail or using the contact form available on the Website, the Data Controller shall process the following Personal Data for query management purposes:
The Data Controller confirms that the Personal Data processed for those purposes shall not be shared.
The Personal Data stored for those purposes shall be stored for 2 (two) calendar years from the date of submission of the data.
The Data Subject consents to the use of his/her Personal Data by the Data Controller for direct marketing purposes:
The Personal Data received for direct marketing purposes shall be stored for 5 (five) calendar years from the date of last access to online shop user account by the client.
The Data Controller confirms that Personal Data is collected directly from the Data Subject only and is not collected from other sources.
The Data Controller will not disclose the Personal Data under processing to third persons, except in the following cases:
The Data Subject has consented to Personal Data disclosure;
The Personal Data is disclosed when processing an order or providing other services – to other data processors providing product delivery services or other services ordered by the Buyer,
The Personal Data is disclosed to law enforcement institutions in accordance with legal requirements,
The Personal Data must be disclosed to prevent or investigate criminal activity.
IMPLEMENTATION OF DATA SUBJECT RIGHTS
The Data Subject is free to withdraw his/her consent to collect, process and store his/her Personal Data; he/she is free to withdraw his/her consent to process his/her Personal Data for direct marketing purposes without stating his/her reasons by contacting the Data Controller in writing using one of the following methods: 1) by accessing his/her online shop user account; 2) in the case of direct marketing – by following the link provided in each e-mail (newsletter); 3) by mail or hand delivery to the following address: 88, Kernavės g., LT-08216 Vilnius; upon receipt of the request of the Data Subject, the Data Controller shall immediately suspend the processing of the Personal Data and delete the data of the person to whom it relates. The Data Controller shall have the right not to delete the Personal Data from his server, provided he has legitimate grounds to store the Data, particularly when it is necessary for the purposes of national security and defence, public order, crime prevention, investigation, detection or criminal prosecution, significant national economic or financial interests and rights and freedoms of other persons.
When contacting the Data Controller about product/shipment delivery information, the Data Subject shall identify himself/herself by providing his/her name, surname and e-mail address.
Upon duly identifying himself/herself and presenting the Data Controller with an identification document or a notarised copy thereof, which shall be used exclusively for identification purposes and shall not be stored, the Data Subject shall have the right to review his Personal Data by contacting the Data Controller with a written request using one of the following methods: by mail or hand delivery to the following address: 88, Kernavės g., LT-08216 Vilnius.
If another person wishes to review the Personal Data of a Data Subject, such person must present a notarised power of attorney; lawyers shall be given access to such data only provided they furnish a legal representation agreement and state the reason for the use of the data.
Upon receipt of a request of the Data Subject to review his/her Personal Data being processed, the Data Controller shall send his reply within 30 (thirty) calendar days from the date of receipt of the request. The reply shall state whether the Personal Data of the person is being processed, and if so – to whom they have been disclosed in the course of the last 1 (one) calendar year. The reply shall be provided free of charge.
If upon reviewing his/her Personal Data the Data Subject finds out that his/her Personal Data has been collected or obtained from illegal sources, or that the Personal Data is being processed for purposes other than those stated in his/her consent, the Data Subject shall have the right to contact the Data Controller via e-mail and request that the processing activity of such Personal Data be suspended and/or his/her Personal Data deleted. The Data Controller shall review the request of the Data Subject, and upon finding out that it is valid, immediately, but in any event no later than within 5 business days, comply with the request of the Data Subject and notify him/her in writing about the actions which have been taken.
When upon reviewing his/her Personal Data the Data Subject finds out that it is inaccurate or incomplete, he shall contact the Data Controller in writing by properly identifying himself/herself and request the Data Controller to correct and/or supplement his/her Personal Data. Upon confirming the validity of the request, the Data Controller shall correct or supplement the Personal Immediately, but not later than within 5 business days, and notify the Data Subject in writing about the actions which have been taken.
The Data Subject shall have the right to request that the Data Controller “forgets” him/her, and in particular – that he deletes all his/her Personal Data, should it not be required for the original purpose for which it has been collected and processed, or when the Data Subject withdraws his consent, or when the data is processed in violation of legal requirements. The Data Controller shall comply with the request immediately, but not later than within 5 business days, and notify the Data Subject in writing about the actions which have been taken
When the Data Subject believes that the processing of his/her Personal Data was in prejudice of his/her legitimate interests, he/she shall be entitled to approach the Supervisory Authority.
PERSONAL DATA BREACH RISKS AND THE PROCEDURE FOR ADDRESSING THEM
The Data Controller has the following organisational and technical means of Personal Data protection in place to ensure adequate Personal Data protection:
The business procedure of the Data Controller is organised in the way that ensures secure handling of computer data and/or documents (archives), as well as the transmission thereof (where applicable).
Access to the Personal Data of a Data Subject is only granted to those Employees who require it to perform their job duties, provided they have signed a confidentiality undertaking and reviewed other internal rules of procedure in the sphere of Personal Data processing.
The Data Processors (service providers) appointed by the Data Controller shall act exclusively within the powers granted by the Data Controller.
Personal Data shall be protected against loss, unauthorised use and alteration. Internet communication shall be encrypted, the Website is implemented using https:// protocol.
Hardware shall be protected against malware (e.g. by means of antivirus software, updates), while intranet shall have a firewall installed.
On the https://www.estele.eu Website cookies are used for statistics purposes, to measure the visor traffic of the Website and the popularity of individual content. This kind of data processing does not allow for direct or indirect identification of Website visitors.
Website visitors are free to delete cookies from their PC or block them in their browser, in which case part of the functions of the Website may be disabled or function incorrectly.