Personal data protection
Personal data processing principles
Who processes your personal data ?
Your personal data is processed by the company Goriffee s. r. o. with registered office at Gabčíková 8, 841 05 Bratislava, ID No.: 46 289 305, registered in the Commercial Register of the Municipal Court Bratislava III, Section Sro, Insert No. 74964/B (hereinafter referred to as ,,the operator”). When personal data are processed by the controller, you are in the position of the data subject, i.e. j. of the person about whom personal data relating to him or her are processed. Your personal data will be processed securely, in accordance with the security policy of the controller.
What rights do you have as a data subject ?
- Right of access – you have the right to be provided with a copy of the personal data we hold about you, as well as information about how we use your personal data (sample request HERE).
- Right to rectification – if you believe that the information we hold is inaccurate, incomplete or out of date, please do not hesitate to ask us to correct, update or complete this information (sample request HERE).
- Right to erasure (to be forgotten) – you have the right to ask us to erase your personal data (sample request HERE).
- Withdraw consent – where we process your personal data on the basis of your consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of the processing of personal data we have processed about you on the basis of that consent (sample request HERE).
- Right to restriction of processing – in certain circumstances you are entitled to ask us to stop using your personal data (sample request HERE).
- Right to data portability – in certain circumstances, you have the right to ask us to transfer the personal data you have provided to us to another third party of your choice (sample request HERE).
- Right to object – you have the right to object to the processing of your personal data based on our legitimate interests (sample request HERE).
- Law not to be subject to automated individual decision-making , including profiling.
- The right to file a petition for initiation of a personal data protection procedure – if you believe that we are processing your personal data unfairly or unlawfully, you can file a complaint with the supervisory authority, which is the Office for Personal Data Protection of the Slovak Republic.
Where the provision of personal data is a legal/contractual requirement, you as the data subject are obliged to provide this personal data. Failure to provide the personal data necessary for the conclusion of a contract may result in the contractual relationship not being concluded.
If you object to the processing of your personal data, you have the right to submit your complaint or request in writing to the company’s registered office at Gabčíková 8, 841 05 Bratislava or by e-mail: info@goriffee.com.
The controller will not use your personal data for automated individual decision-making, including profiling.You can use our sample forms to exercise some of your rights.
The controller does not transfer personal data to third countries or international organisations.
E-SHOP
Contact form
Purpose of processing | communication via the web contact form, handling requests |
Legal basis | a legitimate interest within the meaning of Art. 6 (1) (f) GDPR Regulations. The main legitimate interest is to ensure effective communication via the web |
Category of persons concerned | information seekers |
Personal data category | mandatory data: name, e-mail address, subject of the request, subject of the message, optional data: last name |
Categories of beneficiaries | authorised persons in a contractual relationship with the controller, entities to which the controller is obliged to provide personal data by law, website administration, marketing communications company |
Personal data retention period until erasure | 10 days from the end of the month in which the request was received |
| Transfer of personal data to third countries or international organisations | not implemented |
Register
Purpose of processing | registration of registered e-shop members, management of registered accounts |
Legal basis | consent of the data subject within the meaning of Art. 6 (a) of the GDPR Regulation |
Category of persons concerned | registered members |
Personal data category | first name, last name, e-mail, login (password) after registration, data on purchases/order will be processed |
Categories of beneficiaries | authorised persons in a contractual relationship with the controller, entities to which the controller is obliged to provide personal data by law, the website administrator |
Personal data retention period until erasure | 60 months from the date of the last registration of the registered member |
| Transfer of personal data to third countries or international organisations | not implemented |
Orders
Purpose of processing | conclusion and management of orders placed via the website (e-shop) |
Legal basis | contractual relationship within the meaning of Art. 6 (1) (b) GDPR Regulations |
Category of persons concerned | clients/persons authorised to act on behalf of the client if the client is a legal person/contact person of the client |
Personal data category | name, surname, street, city, postcode, region/region, e-mail, telephone number, subject of the order, data related to the payment name and special billing data if the client is a legal entity or a self-employed person (in particular VAT ID, VAT ID, VAT number) |
Categories of beneficiaries | authorised persons in a contractual relationship with the controller, including the website administrator, entities to which the controller is obliged to provide personal data by law, external carrier – in the case of the choice of delivery of goods by the selected external carrier, external partners providing a payment gateway |
Personal data retention period until erasure | 10 years from the execution of the order |
| Transfer of personal data to third countries or international organisations | not implemented |
Abandoned basket
Purpose of processing | reservation of goods within the abandoned cart system – saving the shopping cart data after leaving the website |
Legal basis | pre-contractual relationship within the meaning of Article 6(1)(b) of the GDPR |
Category of persons concerned | potential clients |
Personal data category | IP address, shopping cart information |
Categories of beneficiaries | authorised persons in a contractual relationship with the controller, including the website administrator, entities to which the controller is obliged to provide personal data by law |
Personal data retention period until erasure | 24 hours from the placement of products into the shopping cart [TJ1] |
| Transfer of personal data to third countries or international organisations | not implemented |
Complaints
Purpose of processing | registration and handling of complaints |
Legal basis | Act No. No 250/2007 372/1990 Coll. on offences, as amended, the contractual relationship within the meaning of Art. 6 (1) (b) Regulations, Act No. 102/2014, on consumer protection in the sale of goods or provision of services under a distance contract or a contract concluded away from the seller’s business premises and on amendment and supplementation of certain laws |
Category of persons concerned | clients, a person authorised to act on behalf of the client, if the client is a legal person |
Personal data category | name, surname, street, city, postcode, region/region, e-mail, telephone number, subject of the order, data related to the payment, name and special billing data if the client is a legal entity or a self-employed person (in particular VAT ID, VAT ID, VAT number), personal data related to the subject of the complaint in accordance with the principle of minimization, data provided in the order |
Categories of beneficiaries | authorised persons in a contractual relationship with the controller, entities to which the controller is obliged to provide personal data by law, the website administrator |
Personal data retention period until erasure | 2 years from the handling of the complaint |
| Transfer of personal data to third countries or international organisations | not implemented |
Reviews
Purpose of processing | publication of client reviews – evaluation of the quality of services and products provided by clients |
Legal basis | a legitimate interest within the meaning of Art. 6 (1) (f) GDPR Regulations. The main legitimate interest is to inform the public about the quality of the services and products provided |
Category of persons concerned | clients/persons authorised to act on behalf of the client if the client is a legal person |
Personal data category | name, details given in the review |
Categories of beneficiaries | authorised persons in a contractual relationship with the controller, including the website administrator, entities to which the controller is obliged to provide personal data by law, website administration, marketing communications company |
Personal data retention period until erasure | for as long as the website on which the review was published is in operation, or unless the client requests deletion of the review |
| Transfer of personal data to third countries or international organisations | not implemented |
Records of clients and contact persons
Purpose of processing | registration of clients and contact persons |
Legal basis | a legitimate interest within the meaning of Art. 6 (1) (f) GDPR Regulations. The main legitimate concern is the efficient provision of business communications. |
Category of persons concerned | clients, person authorised to act on behalf of the client, contact person of the client |
Personal data category | name, surname, e-mail, telephone number (identification data of the company on the basis of which the data subject can be identified – only for legal entities) |
Categories of beneficiaries | authorised persons in a contractual relationship with the controller, entities to which the controller is obliged to provide personal data by law |
Personal data retention period until erasure | after termination of the contractual relationship |
| Transfer of personal data to third countries or international organisations | not implemented |
COFFEE SUBSCRIPTION
Orders
Purpose of processing | conclusion and management of orders placed via the website (e-shop) |
Legal basis | contractual relationship within the meaning of Art. 6 (1) (b) GDPR Regulations |
Category of persons concerned | clients/persons authorised to act on behalf of the client if the client is a legal person/contact person of the client |
Personal data category | name, surname, street, city, postcode, region/region, e-mail, telephone number, subject of the order, data related to the payment name and special billing data if the client is a legal entity or a self-employed person (in particular VAT ID, VAT ID, VAT number) |
Categories of beneficiaries | authorised persons in a contractual relationship with the controller, including the website administrator, entities to which the controller is obliged to provide personal data by law, external carrier – in the case of the choice of delivery of goods by the selected external carrier, external partners providing a payment gateway |
Personal data retention period until erasure | 10 years from the execution of the order |
| Transfer of personal data to third countries or international organisations | not implemented |
SUBSCRIPTION AS A GIFT
Purpose of processing | providing a gift – a “coffee subscription” to the donor, upon the donor’s request |
Legal basis | a legitimate interest within the meaning of Art. 6 (1) (f) Regulations. The primary legitimate interest is the delivery of the coffee subscription to the donee based on the donor’s instructions. |
Exercise of the right to object | The donee is entitled to object to the processing of personal data: electronically to e-mail: info@goriffee.com in writing to the company’s registered office at Gabčíková 8, 841 05 Bratislava To exercise the right to object to the processing of personal data, the donee can use the sample application, which is available HERE . If the donee exercises his/her right to object, the operator will no longer send the gift – “coffee subscription” to the donee. |
Source of personal data | the donor who has provided the donor’s personal data in the order form |
Category of persons concerned | Gifted |
Personal data category | Recipient: name, surname, delivery address (country/region, street, postal code, city), telephone contact[TJ2] ? |
Categories of beneficiaries | authorised persons in a contractual relationship with the controller, entities to which the controller is obliged to provide personal data by law, external carrier – in the case of the choice of delivery of goods by the selected external carrier, website administrator |
Personal data retention period until erasure | 1 month after the expiry of the subscription or in the case of refusal of the gift – coffee subscription by the recipient/right to object – 14 days after non-receipt of the shipment from the carrier/right to object |
WHOLESALE – SALE OF PRODUCTS AND SERVICES
Price offers
Purpose of processing | preparation of quotations for clients |
Legal basis | pre-contractual relationship within the meaning of Article 6(1)(b) of the GDPR |
Category of persons concerned | potential clients, person authorised to act on behalf of the potential client, contact person of the potential client |
Personal data category | name, surname, e-mail, telephone number, identification data if the client is a legal person or a self-employed person, on the basis of which it is possible to identify the person concerned, the subject of the quotation |
Categories of beneficiaries | authorised persons in a contractual relationship with the controller and entities to which the controller is obliged to provide personal data by law |
Personal data retention period until erasure | 3 months from the delivery of the quotation to the potential client, the person authorised to act on behalf of the potential client, the contact person of the potential client |
| Transfer of personal data to third countries or international organisations | not implemented |
Contracts/Order
Purpose of processing | conclusion of contracts/order and administration of contractual relations/relations resulting from orders |
Legal basis | contractual relationship within the meaning of Art. 6 (1) (b) GDPR Regulations |
Category of persons concerned | clients, a person authorised to act on behalf of the client |
Personal data category | name, surname, street, city, postcode, (delivery address), e-mail, telephone number, identification data if the client is a legal person or a self-employed person, on the basis of which it is possible to identify the person concerned, the subject of the order/contract |
Categories of beneficiaries | authorised persons in a contractual relationship with the controller, entities to which the controller is obliged to provide personal data by law, external carrier – in the case of the choice of delivery of goods by the selected external carrier |
Personal data retention period until erasure | 10 years from the end of the contractual relationship |
| Transfer of personal data to third countries or international organisations | not implemented |
Records of clients and contact persons
Purpose of processing | registration of clients and contact persons |
Legal basis | a legitimate interest within the meaning of Art. 6 (1) (f) GDPR Regulations. The main legitimate concern is the efficient provision of business communications. |
Category of persons concerned | clients, person authorised to act on behalf of the client, contact person of the client |
Personal data category | name, surname, e-mail, telephone number, (identification data of the company, on the basis of which it is possible to identify the data subject – only in the case of legal entities) |
Categories of beneficiaries | authorised persons in a contractual relationship with the controller, entities to which the controller is obliged to provide personal data by law |
Personal data retention period until erasure | after termination of the contractual relationship |
| Transfer of personal data to third countries or international organisations | not implemented |
Complaints
Purpose of processing | registration and handling of complaints |
Legal basis | a contractual relationship within the meaning of Article 6(1)(b) of the Regulation |
Category of persons concerned | clients, a person authorised to act on behalf of the client, if the client is a legal person |
Personal data category | first name, surname, e-mail, identification data of the PO/CN, personal data related to the subject of the complaint in accordance with the principle of minimization, data specified in the order/contract |
Categories of beneficiaries | authorised persons in a contractual relationship with the controller, entities to which the controller is obliged to provide personal data by law |
Personal data retention period until erasure | 2 years from the handling of the complaint |
| Transfer of personal data to third countries or international organisations | not implemented |
ACCOUNTING AND TAX OBLIGATIONS
Compliance with legal obligations in the field of accounting and taxation
Purpose of processing | fulfilment of legal obligations in the field of taxation and accounting in the area of business relations |
Legal basis | Act No. 431/2002 on accounting, Act No. 595/2003 Coll. on income tax as amended |
Category of persons concerned | clients, persons authorised to act on behalf of clients |
Personal data category | name, surname, bank account number (or e-mail), payment-related data, company identification data on the basis of which the data subject can be identified, if the client is a legal entity, |
Categories of beneficiaries | authorised persons in a contractual relationship with the controller, entities to which the controller is obliged to provide personal data by law, processor ensuring the fulfilment of the controller’s legal obligations, website administrator |
Personal data retention period until erasure | 10 years from the fulfilment of the legal obligation |
| Transfer of personal data to third countries or international organisations | not implemented |
MARKETING
NEWSLETTER – sending information about goriffee products, services and news
Purpose of processing | sending information about GORIFFEE products, services and news – promotion of the company |
Legal basis | consent of the data subject within the meaning of Art. 6 (1) (a) GDPR Regulations |
Category of persons concerned | those interested in subscribing to the newsletter, those interested in products or services |
Personal data category | name, e-mail |
Categories of beneficiaries | authorised persons in a contractual relationship with the controller, entities to which the controller is obliged to provide personal data by law, website administration, marketing communications company |
Personal data retention period until erasure | 5 years after consent is given |
| Transfer of personal data to third countries or international organisations | not implemented |
Reaching out to clients/customers with offers of similar goods or services that they have purchased
Purpose of processing | approaching clients/customers with offers of similar GORIFFEE goods or services that clients/customers have purchased from GORIFFEE. |
Legal basis | a legitimate interest within the meaning of Art. 6 (1) (f) GDPR Regulations. The main legitimate interest is to provide direct marketing/providing individual offers to clients/customers. |
Category of persons concerned | clients/customers, a person authorised to act on behalf of the client if the client or customer is a legal person |
Personal data category | name, surname, e-mail, telephone number, data relating to previous purchases at GORIFFEE (data from orders, including the subject of the order), data obtained at the conclusion of the contractual relationship |
Categories of beneficiaries | authorised persons in a contractual relationship with the controller and entities to which the controller is obliged to provide personal data by law, website administration, marketing communications company |
Personal data retention period until erasure | until termination of the contractual relationship |
| Transfer of personal data to third countries or international organisations | not implemented |
Satisfaction questionnaire
Purpose of processing | sending a satisfaction questionnaire to obtain feedback and improve services |
Legal basis | a legitimate interest within the meaning of Art. 6 (1) (f) GDPR Regulations. The main legitimate interest is to ensure the improvement of the services provided. |
Category of persons concerned | clients, persons authorised to act on behalf of clients, contact persons of clients |
Personal data category | e-mail, data in the sense of the executed order |
Categories of beneficiaries | authorised persons in a contractual relationship with the controller, entities to which the controller is obliged to provide personal data by law, the partner sending the satisfaction questionnaire |
Personal data retention period until erasure | after the business case has been realised |
| Transfer of personal data to third countries or international organisations | not implemented |
SOCIAL NETWORKS
Communication
Purpose of processing | ensuring communication via social networks |
Legal basis | a legitimate interest within the meaning of Art. 6 (1) (f) GDPR Regulations. The main legitimate interest is to ensure effective communication |
Category of persons concerned | information seekers |
Personal data category | data provided when carrying out communications via social networks |
Categories of beneficiaries | authorised persons in a contractual relationship with the controller, entities to which the controller is obliged to provide personal data by law, social network operator, social network management partner, marketing communications company |
Personal data retention period until erasure | for as long as you are actively using your social media account |
| Transfer of personal data to third countries or international organisations | not implemented |
COMPETITIONS
Ensuring consumer competitions
Purpose of processing | to ensure the running of the competition, informing the winners about the prize and delivering/delivering the prize in accordance with the competition statutes |
Legal basis | consent of the data subject within the meaning of Article 6(1)(a) of the GDPR |
Category of persons concerned | contest participants |
Personal data category | name and surname, e-mail, phone number, delivery address in case of winning the competition |
Categories of beneficiaries | authorised persons in a contractual relationship with the controller, entities to which the controller is obliged to provide personal data by law, website administration, marketing communications company |
Personal data retention period until erasure | 1 month from the announcement of the competition results |
| Transfer of personal data to third countries or international organisations | not implemented |
EXERCISING THE RIGHTS OF DATA SUBJECTS – PROTECTION OF PERSONAL DATA
Purpose of processing | records of exercised rights of data subjects and breaches of protection pursuant to Act No. 18/2018 Coll. on the Protection of Personal Data and on Amendments and Amendments to Certain Acts, records of exercised rights of data subjects pursuant to Chapter III and notifications pursuant to Articles 33 and 34 of Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data |
Legal basis | a legitimate interest within the meaning of Art. 6 (1) (f) GDPR Regulations. The main legitimate interest is the recording of exercised rights and data breach notifications |
Category of persons concerned | the data subjects involved in enforcement of a right; the data subjects subject to a breach of personal data protection |
Personal data category | the data relevant for the exercise of the right, the data to be provided by the whistleblower when notifying the infringement |
Categories of beneficiaries | authorised persons in a contractual relationship with the controller, entities to which the controller is obliged to provide personal data by law |
Personal data retention period until erasure | within 6 months of the expiry of 5 years from the exercise of the right or the occurrence of the data breach |
| Transfer of personal data to third countries or international organisations | not implemented |
ASSERTING LEGAL CLAIMS
Purpose of processing | the exercise of legal claims arising from contractual relations |
Legal basis | a legitimate interest within the meaning of Art. 6 (1) (f) GDPR Regulations. The main legitimate interest is the exercise of legal claims. |
Category of persons concerned | clients, persons authorised to act on behalf of clients |
Personal data category | name, surname, title, function, e-mail, telephone number, identification data of the company, on the basis of which the data subject can be identified, if the client is a legal person, data specified in the order/contract |
Categories of beneficiaries | authorised persons in a contractual relationship with the controller, entities to which the controller is obliged to provide personal data by law |
Personal data retention period until erasure | in the case of the right to compensation, the limitation period runs from the date on which the injured party knew or could have known about the damage and who is liable for compensation (subjective period), but ends no later than 10 years from the date on which the breach of duty occurred. |
| Transfer of personal data to third countries or international organisations | not implemented |
