Niksen Ltd. is a company registered in the Commercial Register at the Registry Agency with UIC 107545591, with a seat and registered office: Gabrovo, 3 Antim I Str., 3rd floor, 7, apartment 21, e-mail: office@niksen.bg, phone: +359 2 978 16 32. The correspondence address with the company is: Gara Yana (RMZ), Sofia 1805.
Niksen Ltd. (hereinafter referred to as “Controller”) carries out the activity in accordance with the Personal Data Protection Act and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
The Controller sells goods through a website located on the domain https://www.niksen.bg.
II. Definitions
1) Personal data - any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is an identifiable person, directly or indirectly, in particular by an identifier such as name, identification number, location data, online identifier or by one or more attributes;
2) Restriction of processing - marking of stored personal data in order to limit their processing in the future;
3) Controller - Niksen Ltd., which alone or jointly with other persons determines the purposes and means for the processing of personal data;
4) Profiling - any form of automated processing of personal data, expressed in the use of personal data to assess certain personal aspects related to an individual, and in particular to analyze or forecast aspects related to the implementation of his contractual relationships and preferences;
5) Personal data processor - a natural or legal person who processes personal data on behalf of the Controller;
6) Recipient - a natural or legal person, public authority, agency, or other entity to which personal data are disclosed, whether a third party or not;
7) Third party - a natural or legal person, public authority, agency, or other authority other than the data subject, the controller, the processor and the persons, who, under the direct supervision of the Controller or the processor, have the right to process personal data;
8) Consent of the data subject - any freely expressed, specific, informed and unambiguous indication of the will of the data subject, by means of a statement or clearly confirming action expressing his consent for the personal data related to him to be processed;
9) Consumer - any individual who visits the website https://www.niksen.bg to purchase goods by concluding a distance sale contract with the Controller;
III. Legal Grounds for collection, processing and storage of personal data
1. The Controller collects and processes personal data in connection with the use of the e-shop https://www.niksen.bg and concluding contracts with the company on the grounds of art. 6, para. 1, Regulation (EU) 2016/679 (GDPR), and in particular based on:
• Explicit consent obtained from the Consumer;
• Fulfillment of the obligations of the Controller under a contract with the Consumer;
• Compliance with a legal obligation that applies to Controller;
• For the purposes of the legitimate interests of the Controller to a third party.
IV. Objectives and principles for collection, processing and storage of personal data
1. The Controller collects and processes personal data provided by the Consumers in connection with the use of the e-shop and concluding a contract with the company, including for the following purposes: ordering goods through the e-shop, concluding and executing a distance sale contract; individualization of a party to the contract; accounting purposes; statistical purposes; information security protection; ensuring the implementation of the contract for the provision of the respective service, the satisfaction Consumers” complaints, direct marketing.
2. The Controller shall observe the following principles by processing personal data: legality, good faith, and transparency; restriction of processing purposes; relevance to the purposes of processing and minimizing the data collected; accuracy and timeliness of data; limitation of storage in order to achieve the objectives; integrity and confidentiality of the processing and ensuring an appropriate level of security of personal data.
3. The Controller may process and store personal data in order to protect the following legitimate interests: fulfillment of its obligations to the National Revenue Agency, Ministry of Interior, and other state and municipal authorities, fulfillment of any other legal obligations.
V. Types of personal data collected, processed and stored by the Controller
1. The Controller shall the perform the following operations with the personal data provided by the Consumers for the following purposes:
• Ordering goods from the e-shop - the purpose is to send an order for delivery of goods to the Controller.
• Conclusion and execution of a distance selling contract with a Consumer - the purpose is the conclusion and execution of the contract, incl. delivery of the ordered goods and its administration.
• Exercise of the right of withdrawal - the purpose is to facilitate the process of exercising the right of withdrawal by the Consumers.
• Acceptance and satisfaction of a complaint - the purpose is to accept and satisfy the complaints filed by the Consumers.
• Administration of claims made by Consumer - the purpose is to accept and prepare a response to the complaint.
• Carrying out direct marketing - sending advertising messages containing information about goods, services, promotions, news, etc., related to the commercial activity of the Controller.
2. The Controller shall process the following categories of personal data and information for the following purposes and on the following legal grounds:
- Individualizing data (e-mail, name, telephone, address, etc.)
◦Reasons for personal data processing: with the adoption of the General Terms and Conditions for the sale and use of the website https://www.niksen.bg and the order placement, a contractual relationship is created between the Controller and the Consumer for which reason the Controller processes the personal data of the Consumer.
- Delivery details (names, phone, address, etc.)
◦Reasons for processing personal data: with the adoption of the General Terms and Conditions for sale and use of the website https://www.niksen.bg and ordering goods, a contractual relationship is created between the Controller and the Consumer, on which basis the Controller processes the personal data of the Consumer. The data necessary for the delivery are provided by the Controller to third parties (courier companies) for the delivery purposes.
- Direct marketing data (email address)
• Legal grounds for personal data processing: explicit consent provided by the Consumer when ordering goods from the online store.
The Consumers have free choice to express their consent to be provided with information by the Controller for the purposes of direct marketing. Giving consent for the processing of data for the purposes of direct marketing is not a condition for ordering goods through the e-shop. The Consumers who have agreed to receive information from the Controller related to direct marketing are given the opportunity to opt out at any time without giving a reason. The right of refusal to receive direct marketing information could be exercised through an explicitly specified option in each e-mail sent to users with such information.
3. The Controller does not collect or process personal data that reveal racial or ethnic origin; disclose political, religious or philosophical beliefs or trade union membership; genetic and biometric data, health data or data on sexual life or sexual orientation.
4. The personal data are collected by the Controller from the persons to whom they refer.
5. The Company does not perform automated decision-making with data or profiling of Consumers.
6. The website https://www.niksen.bg could be accessed through Google and other search engines, as well as through social networks. The website may integrate social media services (e.g. social media messages) through which the Consumers could communicate with the website. The website maintains social media accounts and may offer applications on various social media websites. Each time a Consumer accesses the website https://www.niksen.bg through social media, the provider of the respective social media may allow the Consumer to share information with us. If the Consumer chooses to share, he will be notified by the social media provider what information will be shared with us. For example, when accessing a website through a social media account, certain information (as permitted by the social media provider) may be shared with us. This may include the Consumers' address, age or profile photos stored in the Consumers' profile.
7. When using the website https://www.niksen.bg by the Consumers the Controller receives information from log files (set of system information about the user): IP address; ISP (Internet Service Provider); the browser that the Consumer uses when visiting the website (e.g. Google Chrome, Internet Explorer and Mozilla Firefox); the time the Consumer has spent on the website and which pages on the website have been visited.
8. The website uses Google Analytics - a web service provided by Google for the compilation of detailed statistics for visitors to websites. The statistics are collected on the Google server and used by the Controller for analyzing the traffic and improving the efficiency of the website. The website may use information from social media, in particular Facebook about the Consumer, for this website, as well as for advertising and promotion of the website. The consent for the provision of this information is given by the Consumers to the respective social media.
9. The Controller also uses the so-called Cookies. Cookies are few the amount of information that the webserver sends to the webbrowser, allowing the server to collect feedback from the browser. More information about the types of cookies used by the Controller and the purposes for which he uses cookies could be found in the Cookie Policy.
VI. Term of personal data storage
1. The Controller stores the personal data of each Consumer for a period not exceeding one month from the date of execution of the order. The Controller takes the necessary actions to delete all personal data of the Consumer, without undue delay or to anonymize them (to bring them in a form that does not reveal the identity of the Consumer).
2. Notwithstanding the provisions of item 1, the Controller shall store the personal data, which it is necessary to keep by virtue of the applicable legislation for the respective term provided by law. The Controller shall notify the respective persons in case the term for data storage needs to be extended for fulfillment of a legal obligation or in view of legitimate interests of the Controller.
VII. Transfer of personal data for processing
1. The Controller may, at its discretion, transfer part or all of the personal data of the Consumers to personal data processors for the fulfillment of the processing purposes agreed by the Consumers, subject to the requirements of Regulation (EU) 2016/679 (GDPR). The Controller shall notify the Consumers in case of intention to transfer part or all of their personal data to third countries or international organizations.
VIII. Rights of Users regarding the collection, processing and storage of personal data
Withdrawal of consent for processing of personal data
1. If the Consumers does not want the personal data provided by him to be processed anymore, he may at any time withdraw his consent for processing by sending an email to the Controller.
2. After receiving the request, the Controller shall send to the email that is provided by the Consumer a message with detailed instructions for the verification of the Consumer concerned as a personal data subject.
3. After verification the Controller shall delete the Consumer's personal data and send a confirmation of the deletion. The deletion of personal data may result in the inability of the Controller to fulfill its obligations under the contract concluded with the Consumer.
4. The withdrawal of the consent does not affect the legality of the processing of personal data, which the Controller has performed so far.
Access right
1. The Consumer shall be entitled to request and receive from the Controller confirmation of whether personal data relating to him are processed by sending a request by email. The Consumer shall be entitled to access the data relating to him and the information relating to the collection, processing and storage of his personal data.
2. After receiving the request, the Controller shall send to the e-mail which is provided by the Consumer a message with detailed instructions for the verification of the Consumer concerned as the subject of the personal data to which access was requested.
3. After verification the Controller shall provide the Consumer with a copy of the personal data processed related to him in an electronic or another appropriate form.
4. The provision of access to data is free of charge, but the Controller reserves the right to request payment of a fee in the event of multiple requests.
Correction or completion
1.The Consumer may at any time adjust or complete incorrect or incomplete personal data associated with it by asking the Controller by e-mail. The Controller shall notify by email the Consumer about the correction.
Right of deletion (“Right to be forgotten”)
1. The Consumer shall be entitled to ask the Controller to delete a part or all personal data relating to him and the Controller shall have the obligation to delete them without undue delay when any of the following legal grounds exist:
• personal data are no longer necessary for the purposes for which they were collected or processed;
• the Consumer withdrew his consent to the processing of the data and there is no other legal basis for processing;
• the Consumer objected to the processing of the personal data associated with him and there are no legitimate grounds for the processing which previal;
• the personal data were unlawfully processed;
• personal data have to be deleted in order to comply with a legal obligation under EU or local law which applies to the Controller;
• personal data were collected in connection with the provision of information society services.
2. The Controller shall not be obliged to delete the personal data if it stores and processes them:
• for the exercise of the right to freedom of expression and the right to information;
• to comply with a legal obligation which requires processing as provided for by EU or local law which applies to the Controller or to the implementation of a public interest task or to the exercise of official powers conferred on it;
• for public health reasons;
• to archive in the public interest, for scientific or historical research or for statistical purposes;
• for the establishment, exercise, or protection of legal claims.
3. To exercise his „right to be forgotten“, the Consumer is required to send by email a request to the Controller, after which the Controller will send to the e-mail which is provided by the Consumer a message with detailed instructions for the person's verification as a subject of the personal data for which a deletion request has been made.
4. Once the Controller has authenticated the identity of the person who made the request and the person to whom the data relate according to the instructions sent, the Controller shall delete all the data of the Consumer.
5. If an order has been placed and is being processed, the earliest moment at which the Consumer may request to be "forgotten" is the successful completion of the order.
Limitation right
1. The Consumer shall have the right to require the Controller to limit the processing of the personal data associated with him by sending the Controller a request by e-mail where:
• the Consumer disputes the accuracy of the personal data, for a period which allows the Controller to verify the accuracy of the personal data;
• the processing is illegal, but the Consumer does not want the personal data to be deleted, but only their use to be restricted;
• the Controller does not need the personal data for processing, but the Consumer requires them to establish, exercise or protect their legal rights;
• the Consumer has objected to the processing pending verification of whether the legitimate grounds of the Administrator have precedence over his interests.
2. After receiving the request the Consumer shall send to the e-mail which is provided by the Consumer detailed instructions for the verification of the person as a subject of the personal data for which a request for restriction of processing has been made.
3. After verification the Controller will discontinue the processing of personal data and notify the Consumer by e-mail.
Portability right
1. If the Consumer has given consent to processing personal data or processing is necessary for the execution of the contract with the Controller, or if the data are processed in an automated manner, the Consumer may ask the Controller to provide the personal data in a readable format and transfer them to another Controller, as well as to ask the Controller to transfer directly the personal data to a Controller designated by the Consumer where this is technically feasible.
2.The Consumer may exercise the right of portability by sending an email request, after which the Controller will send to the e-mail which is provided by the Consumer detailed instructions for the verification of the person subject to the personal data for which the request for portability was made.
3. After verification the Controller shall send the data that it processes for the person concerned in a read-only format to the other Controller.
Right to information
1. The Consumer may ask the Controller to inform him about all recipients to which have been disclosed the personal data subject of correction, deletion or restriction of processing.
Objection right
1. The Consumer may object at any time the processing of personal data by the Controller relating to him, including if they are processed for profiling or direct marketing purposes.
Users‘ rights in case of breach of personal data security
1. If the Controller finds a breach of the personal data which may lead to a high risk to the legal rights of the Consumer, it shall inform the Consumer without undue delay about the breach and the measures taken or to be taken by the Controller.
2. The Controller shall not be obliged to inform the Consumer, if it has taken appropriate technical and other appropriate measures with respect to the data affected by the breach of security or if it has subsequently taken measures that ensure that the breach does not lead to a high risk to the legal rights of the Consumers or if the notification would require unreasonable efforts.
IX. Persons to whom personal data are provided
1. The Controller does not provide the personal data of the Consumer to third parties, except for the cases when such provision is obligatory by law.
2. The Controller shall not transfer personal data to any third country.
X. Competent authority in relation to personal data protection
1. In case of violation of the rights of the Consumers, mentioned above or provided for in the applicable legislation for personal data protection, the Consumers have the right to file a complaint to the Commission for Personal Data Protection with registered office and address: Sofia 1592, bul. „Prof. Tsvetan Lazarov ”№ 2, Phone: 02 915 3 518, Website: www.cpdp.bg . Nevertheless, the Consumers may at any time send to the email address office@niksen.bg . complaints, inquiries, etc. to the Controller on any issues related to their personal data