DATA PROTECTION

Privacy and data protection policy

 

Mandatory information on the rights of individuals under data protection

Information about the controller company that processes the data:

Controller: Brand Hicks Ltd,

registered office and registered address:

registered office. registered office and registered address. Nikola Vaptsarov 53A.

205651166

 

The company administrator is established in the Republic of Bulgaria and you can contact us as follows:

Address. You can contact us at the following address. Nikola Vaptsarov 53A, Sofia

+359896545553

E-mail address: info@gooddrinks.bg

UIC: 205651166

 

Information on the competent supervisory authority for personal data protection

Name: Commission for Personal Data Protection

Headquarters and registered office. "1592 Proff. No. 2 Tsvetan Lazarov

Address for correspondence. "Prof. Lazarovaza", 1592, ul. No. 2 Tsvetan Lazarov

Phone: 02 915 3 518

 

Brand Hicks Ltd. through the website www.gooddrinks.bg (hereinafter referred to as "Administrator") carries out its activities in accordance with the Personal Data Protection Act and Regulation (EC) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. This information is intended to inform you about all aspects of the processing of your personal data by the Company and the rights you have in relation to this processing.

 

Basis for collecting, processing and storing your personal data

1. The Controller collects and processes personal data of Users in connection with the use of the website www.gooddrinks.bg and the conclusion of contracts with the company on the basis of Art. 6, para. 1, Regulation (EC) 2016/679 (GDPR), in particular on the following grounds:

Explicit consent obtained from users;

Fulfillment of the Controller's contractual obligations;

Compliance with a legal obligation that applies to the Controller;

For the purposes of the legitimate interests of the Controller or of a third party;

Purposes and principles of collecting, processing and storing users' personal data

2. The Controller collects and processes personal data that Users provide to it in connection with the use of the website and the conclusion of a contract with the company, including for the following purposes:

creating a registration and providing full functionality when using the site;

conclusion and execution of a distance contract with and without registration;

individualisation of the contracting party;

accounting purposes;

statistical purposes;

information security protection;

securing the performance of the contract for the provision of the relevant service.

sending a newsletter if requested;

conducting a survey on user satisfaction with the use of the website;

fulfilling a legal obligation;

detection and resolution of technical or functionality problems, development and improvement of the site;

3. The controller complies with the following principles in processing personal data:

lawfulness, fairness and transparency;

limitation of the purposes of processing;

relevance to the purposes of the processing and minimisation of the data collected;

accuracy and timeliness of data;

limitation of storage with a view to achieving the purposes;

integrity and confidentiality of processing and ensuring an appropriate level of security of personal data.

4. In processing and storing personal data, the Controller may process and store personal data in order to protect its legitimate interests as follows:

5. Types of personal data collected, processed and stored by the Controller:

Name and surname;

E-mail;

Gender;

Address;

Telephone number;

Other contact details

6. The administrator performs the following operations with the personal data provided by users for the following purposes:

- User registration on the site and execution of a distance purchase contract - the purpose of this operation is to create a registration to use the site for the purchase of goods and provide contact details for the delivery of purchased goods. Registration and creation of an account for use of the site is not a mandatory step of the provision of the service and it is available to a significant extent without the creation of an account.

- Conclusion of the impact assessment: Based on the impact assessment carried out, the operation 'Registration of a user on the website and execution of a distance purchase contract' is admissible and provides sufficient guarantees for the protection of the rights and legitimate interests of data subjects in line with the requirements of the GDPR.

- Conclusion and execution of a commercial transaction with a customer or partner - the purpose of this operation is the conclusion and execution of a contract with a commercial partner or customer and its administration. Given the limited scope of the personal data collected and the fact that some of it is collected from publicly available sources, it is not necessary to conduct an impact assessment of the operation.

- Sending a newsletter - the purpose of this operation is to administer the process of sending newsletters to users who ca stated that they wish to receive. Given the limited scope of the personal data collected, an impact assessment of the operation is not necessary.

- Exercising the right of withdrawal or making a complaint - the purpose of this operation is to administer the process of exercising the right of withdrawal or making a complaint by the customer. Given the limited scope of the personal data collected, it is not necessary to carry out an impact assessment of the operation.

7. When processing personal data, the Controller shall not carry out profiling that would give rise to legal consequences for users or otherwise significantly affect them, except as set out in point 13.

8. The Controller shall provide the Personal Data of the Users to partners for the purpose of carrying out the delivery of the ordered goods, for the purpose of carrying out the accounting service of the Users' requests, the realisation of legal claims and/or obtaining other services or advice.

9. The controller does not envisage that the personal data of users will be provided outside the European Union, except as specified in point 13.

10. When registering on the website using the registration option via the users' accounts in social networks, the Administrator will obtain information about the users' profiles in these networks. The Administrator is not responsible for the information available on these networks.

11. The Administrator's website uses so-called "cookies" for the purposes of providing full website functionality, improving user experience, statistical purposes, ease of access, etc., except as noted in paragraph 13. Cookies do not constitute personal data and are not used to identify visitors or users of the website.

12. The controller stores personal data of users for a period no longer than the existence of the profile on the site, except as specified in point 13. After the deletion of the profile, the Administrator shall take the necessary care to delete and destroy all personal data without undue delay or to anonymize them (i.e. to put them in a form that does not reveal the identity of users). The Controller stores personal data provided in connection with online orders for a period of 5 years for the purpose of protecting the legal interests of the Controller in the event of legal or administrative disputes with users of the site. The period of data storage is necessary to be extended in order to comply with a legal obligation or in view of the legitimate interests of the Controller or otherwise. The Controller stores the personal data that it is necessary to keep under applicable law for the relevant period provided for, which may exceed the duration of the registration on the site or until the completion of the order.

13. The controller uses Retargeting.Biz (with registration office in Romania, Bucharest, Sector 2, ul. "Vasile Lescar 178, Floor 2, VAT No. RO34270947, UIC:J40/3525/23.03.2015, email info@retargeting.biz, phone number +40-727-383-165), marketing automation software for e-commerce in order to analyze, profile and send personalized communication and offers. These actions have no legal effect or other significant effect on users. The only consequences to the consumer of using profiling methods would be to receive personalized marketing offers and discounts. Each user has the right to opt-out of profiling and receiving commercial communications, without any effect other than not receiving personalized marketing offers and discounts. For the purposes of data processing, profiling (action tracking) and interaction with the site, Retargeting. Biz automatically collects and stores the following data: User's email address, phone number, names, gender, address, city, county, date of birth, order number (ID), discount code, discount code value, order value, shipping value, product price, product(s), product variations, IP, browser, operating system, cookie, location vs. IP, date and time, pages viewed, category(s), brand(s), click on photo, hover over add to cart button, scroll up and down, add to cart, remove from cart, select variations, add to wishlist, comment, like and share on Facebook, visit Help pages. The group of targeted subjects are visitors, registered users and customers of the site, as appropriate and the selected service. Visitors' data will be stored for a period of 2 months and registered users' and customers' data will be stored for a period of 3 years. When delivering the Service to the Customer, Retergeting.Biz uses third party services (Subcontractors) located in the EEA and the USA (for Push Notifications only), and the transfer of personal data is based on the EU-US Privacy Shield; the data is stored only during the contract period between the two parties. Cookies: the Site must use a first-party cookie, and provide access to its information to Retargeting.Biz. "The cookie is placed by the website and thus can only be used in conjunction with this site. Therefore, the link between the internal tracking of users on this website and the tracking of users on other websites is not technically possible via the same cookie. To unsubscribe or opt-out of Retargeting.Biz, please send an email to...... (please put your customer contact email address here).

14. Withdrawal of consent to the processing of personal data

If the user does not wish the personal data provided by him/her to be processed for marketing purposes and to receive the newsletter, he/she may withdraw his/her consent to processing at any time by filling in the consent withdrawal form in Appendix 1 or by a free text request and sending it by email to the Administrator. The withdrawal of consent shall not affect the lawfulness of the processing of personal data that the Controller has carried out up to that point.

15. Right of access

The user has the right to request and obtain from the Controller confirmation of whether personal data relating to him or her are being processed by sending a request in free text by email. The User has the right to access the data relating to him/her and the information relating to the collection, processing and storage of his/her personal data. The controller will provide, upon request, a copy of the processed personal data relating to the user in electronic or other appropriate form.

16. Right to rectification or completion

The User may at any time rectify or complete inaccurate or incomplete personal data relating to him or her directly through the registration on the Site or by making a request to the Administrator by email using the form in Appendix 4 or by submitting a request in free text.

17. Right to erasure ("to be forgotten")

The User has the right to request the Administrator to delete some or all of the personal data relating to him/her, and the Administrator has the obligation to delete them without undue delay where one of the following grounds applies:

the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;

the user withdraws the consent on which the processing is based and there is no other legal basis for the processing;

the user objects to the processing of the personal data relating to him/her, including for direct marketing purposes, and there are no legitimate grounds for the processing which prevail;

the personal data have been unlawfully processed;

the personal data must be erased in order to comply with a legal obligation under EC or Member State law to which the Controller is subject;

the personal data was collected in connection with the provision of information society services.

In order to exercise the right to be forgotten, the user must send by email a request for deletion of his personal data processed by the Data Controller by filling in the form in Annex 2 or by a free text request. The Controller will delete all data it processes about the user upon receipt of the request.

18. Right to restriction

The user has the right to request the Controller to restrict the processing of the data relating to him/her by sending a free text request by email when:

disputes the accuracy of the personal data, for a period that allows the Controller to verify the accuracy of the personal data;

the processing is unlawful, but the user does not wish the personal data to be erased, but only for their use to be restricted;

the Controller no longer needs the personal data for the purposes of the processing, but the user requires them for the establishment, exercise or defence of legal claims;

the user has objected to the processing pending verification whether the legitimate grounds of the Controller override the interests of the user.

The Controller will suspend the processing of the personal data at the user's request.

19. Right to portability

If the user has provided consent to the processing of personal data or the processing is necessary for the performance of the contract with the Controller, or if your data is processed in an automated manner, the user has the right to

request the Controller to provide personal data in a readable format and to transfer it to another Controller;

to request the Controller to transfer personal data directly to a controller designated by the user, where this is technically feasible.

The user has the right to exercise the right of portability by sending by email a completed form in accordance with Annex 3 or a request in free text, after which the Administrator will send to the email specified by the user the data it processes in XML format.

20. Right to receive information

The user may request the Controller to inform him/her of all recipients to whom the personal data for which rectification, erasure or restriction of processing has been requested has been disclosed. The controller may refuse to provide this information if it would be impossible or would require a disproportionate effort.

21. Right to object

The user may object at any time to the processing of personal data concerning him or her by the Controller, including if the processing is for profiling or direct marketing purposes.

22. Response period

The Controller shall, without undue delay and in any event within one month of receipt of the request, submit a response to the user. If necessary, this period may be extended by a further two months, taking into account the complexity and number of requests. The controller shall inform the user of any such extension within one month of receipt of the request, indicating the reasons for the delay. 21. In the event of a breach of the rights of users under the above or applicable data protection legislation, users shall have the right to lodge a complaint with the Data Protection Commission as follows:

Name: Data Protection Commission.

Headquarters and registered office. "1592, Prof. No.: 2 Tsvetan Lazarov

Address for correspondence. "Prof. Lazar", 1592. No. 2 Tsvetan Lazarov

Phone: 02 915 3 518

Website: www.cpdp.bg

 

 

Annex 1

Withdrawal of consent form for processing purposes

 

Your name*: .........................

Your email address you have used on the website*: .........................

Feedback details (e-mail)*: .........................

 

To

Brand Hicks Ltd,

Registered office:

Gr. Sofia, 53A Nikola Vaptsarov Blvd.

 

I hereby withdraw my consent to the processing of the personal data provided by me for the purpose of receiving newsletters, advertising messages or other marketing materials, having read the conditions for withdrawal of consent in accordance with the Mandatory Information on the rights of individuals on the protection of personal data on the site.

 

 

Appendix 2

Request "to be forgotten" - to delete personal data related to the user

 

Your name*: .........................

Your email address you have used on the website*: .........................

Feedback details (e-mail)*: .........................

 

To

Brand Hicks Ltd,

Registered office:

Gr. Sofia, 53A Nikola Vaptsarov Blvd.

UIC: 205651166

 

I request that all personal data that you collect, process and store, provided by me or by third parties related to me, according to the indicated identification, be deleted from your databases.

I declare that I am aware that some or all of my personal data may continue to be processed and stored by the controller for the purpose of fulfilling its legal obligations.

Annex 3

Request for portability of personal data

 

Your name*: .........................

Your email address you have used on the website*: .........................

Contact details (e-mail)*: .........................

 

To

Brand Hicks Ltd,

Registered office:

Gr. Sofia, 53A Nikola Vaptsarov Blvd.

UIC: 205651166

 

Please send all personal data related to me, which are collected, processed and stored in your databases, in XML format to:

e-mail: .........................

Receiving data controller: .........................

Name: .........................

Identification number (UIC, BULSTAT, reg. number in the CPC): .........................

E-mail: .........................

 

 

Annex No. 4

Request for correction of data

 

Your name*: .........................

Your email address that you used on the website*: .........................

Feedback details (e-mail)*: .........................

 

To

Brand Hicks Ltd,

Registered office:

Gr. Sofia, 53A Nikola Vaptsarov Blvd.

UIC: 205651166

 

I request that the following personal data that you collect, process and store, provided by me or by third parties who are related to me, be corrected as follows:

Data subject to correction:

..................................................

Please correct as follows: