General provisions

1.1. This present privacy policy governs the principles of collection, processing and storing of personal data. Personal data are processed and stored by the controller Furlin OÜ (hereinafter Controller).

1.2. In the meaning of the privacy policy, a data subject is a client or other natural person, whose personal data are processed by the Controller.

1.3. In the meaning of the privacy policy, the client is anyone who purchases goods or services via the Controller’s website.

1.4. The Controller adheres to the principles of data processing laid down by law and, inter alia, processes personal data in a lawful, fair, and secure manner. The Controller is able to confirm that personal data is processed in accordance with the provisions laid down by law.

Collection, processing and storing of personal data

2.1. Personal data collected, processed and stored by the Controller, have been collected electronically, mostly via website and e-mail.

2.2. By sharing his or her personal data when, whether directly or indirectly, purchasing goods or services from the website, the data subject gives the Controller the right to collect, organise and manage personal data for the purposes defined in the privacy policy.

2.3. Data subject is responsible for submitting accurate, correct and complete data. Wilful submission of false data is considered the violation of privacy policy. Data subject is obliged to immediately notify the Controller of any changes in the submitted data.

2.4. The Controller is not responsible for the damage caused to the data subject or third parties due to the submission of false data by the data subject.

The processing of personal data of clients

3.1. The Controller may process the following personal data of the data subject:

3.1.1. Given name and surname;

3.1.2. Telephone number;

3.1.3. E-mail address;

3.1.4. Delivery address;

3.1.5. Payment card details;

3.2. Besides the aforesaid, the Controller has the right to collect client-related data available in public registries.

3.3. Legal basis for the processing of personal data is established in Article 6 (1) a), b), c) and f) of the General Data Protection Regulation:

1. a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
2. b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
3. c) processing is necessary for compliance with a legal obligation to which the controller is subject;
4. f) processing is necessary for the purposes of the legitimate interest pursued by the controller or by a third party, except where such interests are overridden by the interests of fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

3.4. Processing of persona data in accordance with the purpose of the processing:

3.4.1. The purpose of the processing – security and safety
Maximum period for which the personal data will be stored – pursuant to the terms provided by law

3.4.2. The purpose of the processing – processing of the order
Maximum period for which the personal data will be stored – 1 year

3.4.3. The purpose of the processing – ensuring the functionality of e-store services
Maximum period for which the personal data will be stored – 1 year

3.4.4. The purpose of the processing – customer management
Maximum period for which the personal data will be stored – 1 year

3.4.5. The purpose of the processing – financial activity, accounting
Maximum period for which the personal data will be stored – pursuant to the terms provided by law

3.4.6. The purpose of the processing – marketing
Maximum period for which the personal data will be stored – 1 year

3.5. The Controller has the right to share the personal data of clients with third parties, such as processors, accountants, transport and courier companies, or companies providing money transfer services. The Controller is the person responsible for processing personal data. The Controller will forward the personal data required for performing payments to Maksekeskus AS, who is the processor.

3.6. Where personal data are processed and stored, the Controller shall implement organisational or technical measures that ensure protection of personal data against the accidental or unlawful destruction, alteration, disclosure of, or any other unlawful processing.

3.7. The Controller stores the data of data subjects depending on the purpose of the processing, but no longer than for  2 years.

Rights of the data subject

4.1. The data subject has the right of access to and his or her personal data.

4.2. The data subject has the right to obtain information concerning the processing of his or her personal data.

4.3. The data subject has the right to completion or rectification of inaccurate personal data.

4.4. If the Controller processes personal data of the data subject based on the consent given by the data subject, then the data subject shall have the right to withdraw his or her consent at any time.

4.5. For exercising his or her rights, the data subject can address the customer support of e-store at info@furlin.ee.

4.6. In order to protect his or her rights, the data subject may lodge a complaint with Data Protection Inspectorate.

Final provisions

5.1. This present data protection policy has been prepared in compliance with the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), Personal Data Protection Act of the Republic of Estonia and legislation applicable by the Republic of Estonia and the European Union.

5.2. The Controller has the right to partially or completely alter the data protection policy, by notifying the data subjects of such alterations via www.furlin.ee website.