0   /   100

Privacy Policy

DATA CONTROLLER:

Jenny Kros Ltd. is the Data Controller of this Website. We are a company registered in Bulgaria under number 206170342 whose registered office is at 49a Bulgaria Blvd., ent B, 10th fl., app 29, Sofia, Bulgaria (the Data Controller or us or we)

Contact details

email: shop@jennykros.com; 

phone: +359882296777

Data protection officer (DPO)
Jenny Saliba
phone: +359882296777   

GROUNDS AND PURPOSES OF THE PROCESSING OF PERSONAL DATA

We process personal data only when one of the following applies:

  • There is a concluded contract between you and us with the purpose to execute our contractual obligations;
  • We have received explicit consent from you – the purpose is being specified for each case; 
  • There is a legal obligation for us to process the personal data; 
  • We have a legitimate interest to process the data;

In this Privacy Policy, you will find detailed information regarding the processing of personal data. 

PROCESSING OF DATA FOR THE EXECUTION OF CONTRACTUAL OBLIGATIONS OR DURING PRE-CONTRACTUAL RELATIONS

We process personal data to execute our contractual and pre-contractual obligations. The purpose of the processing is as follows:

  • To Identify the data subject
  • To provide our services and products
  • Prepare offers
  • Send you invoices/bills for the services you are using
  • To provide you full support 
  • To receive payments from you
  • To maintain correspondence with you
  • To prevent unlawful behaviour or breach of our Terms of Use and Privacy policy

Category of data subjects

On this legal basis, we process data of our customers. A customer is any individual or representative of a company who has a contractual or pre-contractual relationship with us and wishes to use our Services.

Services

We are selling designer clothes and accessories as described in our Terms and Conditions.

Data we process 

On this ground, we process information regarding the type and content of the contract as well as any other information related to the contracted, including:

  • Personal contact data – your name, company name, contact address, email, phone;
  • order history
  • communication in regard to the client’s service

In order to execute our contractual obligations, we need the above informаtion or the execution would be impossible without it.  Such personal data shall be marked in a specific way with a “*” or another sign. All other personal data is collected voluntarily.

Contact form

Through the contact form, we collect the data provided by you voluntarily. By submitting the data via the contact form, you agree to our Privacy Policy. The data you send us is processed only for the purpose of providing our services and the possible conclusion of a contract. The data is processed and deleted in accordance with the rules of our Privacy Policy and in particular the rules for data collected on a contractual or pre-contractual basis.

User profile

Each registered user has a unique user profile. In the account settings, each registered user can manage their personal data protection settings, including adding, updating and deleting personal data.

Transfer of personal data to third parties

We transfer data to third parties with the purpose to improve the quality of our services and offer you full support. We only transfer personal data to third parties, who have proved to us they have applied or required organizational and technical security measures. In this case, we are responsible for the privacy and security of your data.

We transfer personal data to the following categories of third parties

  • postal and shipment service providers
  • hardware and software service providers
  • consulting service providers, such as lawyers, accountants, tax advisors and others
  • cloud service providers, such as AWS, Google, Microsoft etc.

Data deletion

We delete personal data processed on this ground after 5 years after the contract has expired regardless of the reason for the expiration. We chose this time period, because this is the expiration period for the claims from a contract. 

We delete personal data collected during pre-contractual relations after 12 months.

PROCESSING OF DATA IN COMPLIANCE WITH LEGAL OBLIGATIONS TO WHICH WE ARE SUBJECT

Sometimes there is a legal obligation for us to process personal data. In such cases, we are obliged to process personal data. Such cases are:

  • Obligations under the Against Money Laundry act (AML);
  • Obligations under the Consumer Protection act (CPA) 
  • Obligations to provide personal data to Consumer Protection Commission and third parties under CPA;
  • Obligations to provide personal data information to Personal Data Protection Commission 
  • Obligations under the Accounting act and Tax-Insurance Procedure Code (TIPC)
  • Obligations to provide information to the court or third parties under the applicable procedure laws;
  • Obligation to certify the age of the data subject

Data deletion

Personal data processed on this ground is being deleted after the obligation has been fulfilled or has expired.

Transfer of data to third parties 

In cases where we have to fulfil our legal obligations, we could transfer personal data to third parties such as public authorities.

LEGITIMATE INTEREST

We collect and analyse data on the grounds of our legitimate interest. This data is collected in order to improve our services and client support. On this ground, we collect information regarding the behaviour of our customers and analyze this data.

In case the collected data goes beyond our legitimate interest we would ask for your explicit consent. 

Your data could be anonymized. Anonymisation is an alternative to data deletion. When the data is anonymised you could no longer be identified. 

AFTER RECEIPT OF YOUR CONSENT

We process personal data on this ground only after your explicit consent. The consent is given in compliance with Art. 7 from Regulation 679/ 2016 (GDPR). 

We do not foresee any negative consequences for you in case you decide not to share your personal data. 

Your consent is a separate ground for the processing of personal data and the purpose of the processing is specified for each case. 

Processed data 

On this ground we process only the data for which we have received your explicit consent. However, in most cases this data includes:

  • Email
  • Name

Transfer to third parties

On this ground we could transfer personal data to third parties, specified with the consent. 

Withdrawal of the consent

The consent could be withdrawn at any time. The withdrawal does not in any way affect any contracts or other relations between you and us. The withdrawal does not affect the processing before the withdrawal was given. 

To withdraw your consent you just have to use our website or write us an email. 

Data deletion

You can request deletion of your data at any time.

Email marketing

In case you sign up to receive emails from us, you will receive messages with up-to-date information about our services, the services of our partners or other useful information. You can unsubscribe from the email newsletter by clicking the button in the email labelled “unsubscribe” or other similar text. You can also unsubscribe using our contact information provided in this Policy.

DATA SUBJECT RIGHTS

You have all data protection rights under the Data protection act and GDPR. 

You could use your right by contacting us through our website or just by writing us an email. 

You have the right to:

  • Be informed regarding the processing of your personal data 
  • Access your personal data
  • Demand correction your personal data
  • Deman deletion of your personal data 
  • Demand limitation of the processing of personal data
  • Portability of personal data between the controllers
  • Object against the processing of personal data
  • Be excluded from fully-automated decisions 
  • Protect your right in court or through administrative procedure in case of violation of data protection rights

Data subject could demand deletion in the following cases: 

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing;
  • the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
  • the personal data have been unlawfully processed;
  • the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
  • the personal data have been collected in relation to the offer of information society to a person under 16 years. 

Data subject has the right to restriction of personal data, when:

  • the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  • the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
  • the data subject has objected to processing pending the verification of whether the legitimate grounds of the controller override those of the data subject.

Portability right.

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

  • the processing is based on consent or on a contract pursuant to point (b) of Article 6(1); and
  • the processing is carried out by automated means

Right to make a claim

Data subject has the right to make a claim against the unlawful processing of personal data to the Data protection commission or the according court.  

Personal data records

We maintain a record of our processing activities. This record contains the following information:

  • Name and coordinates of the controller
  • Purposes of the processing
  • Description of the categories of data subjects and processed data;
  • the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
  • where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
  • where possible, the envisaged time limits for erasure of the different categories of data;
  • where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

The governing body of our the activity is the Bulgarian Data Protection Commission with the following contact details:

  • 2, Prof. Tsvetan Lazarov blvd., 1592 Sofia
  • phone: +359 2 915 3580 +359 2 915 3548
  • Fax +359 2 915 3525
  • Email: kzld@cpdp.bg
  • Website: https://www.cpdp.bg/

DATA PROTECTION 

To ensure the protection of personal data of the company and the clients we apply all required organizational and technical measures under Data protection act and GDPR, as well as the best international practices. 

We have adopted Rules for data processing in the company. To ensure maximum security we could apply additional protection measures such as pseudonymisation, encrypting and other best practices.