Shopping Cart

0

Your shopping bag is empty

Go to the shop

Data Protection Policy

Introduction

1.1 Purpose

This Data Protection Policy outlines the principles and guidelines to be followed by our e-commerce website ("www.surya.eu"), based in The Netherlands, to ensure the protection and privacy of user data. This policy aims to comply with the General Data Protection Regulation (GDPR) guidelines.

1.2 Scope

This policy applies to all personal data collected, processed, and stored by the Website in the course of providing services related to account creation, browsing, purchasing, payment, and order tracking of home furnishing items.

Definitions

2.1 Personal Data

Personal data refers to any information relating to an identified or identifiable individual, such as name, address, email address, payment details, and order history.

2.2 Data Controller

The Website, which determines the purposes and means of personal data processing, is the data controller as defined by the GDPR.

2.3 Data Processor

Any third-party entity engaged by the Website to process personal data on its behalf, such as payment gateways or logistics providers, is considered a data processor.

Data Collection and Processing

3.1 Lawful Basis for Processing

The Website will only process personal data if it has a lawful basis for doing so, such as user consent, the necessity to fulfil an order, legal obligations, or legitimate interests pursued by the Website or a third party.

3.2 Types of Personal Data Collected

The Website collects and processes the following personal data for the specified purposes:

  • Account Creation: Name, email address, password (encrypted), address details, and contact information.

  • Browsing: IP address, cookies, and other usage data for statistical analysis and website improvement.

  • Purchasing:Personal data necessary for order processing, including billing and shipping addresses, phone numbers, and order history.

  • Payment:Payment details, such as credit card numbers, are securely processed by third-party payment gateways. The Website does not store or retain full payment card information.

  • Order Tracking:Information related to order status and delivery, such as tracking numbers and shipping carrier details.

3.3 Data Minimization

The Website will only collect and process personal data that is necessary and relevant for the specified purposes. Data collected will be limited to the minimum required.

3.4 Data Retention

Personal data will be retained for as long as necessary to fulfil the purposes for which it was collected and in accordance with legal obligations. When data is no longer required, it will be securely erased or anonymized.

User Rights

4.1 Right to Access and Rectification

Users have the right to access their personal data and request its rectification if inaccurate or incomplete. Users can update their account information directly through the Website's account settings.

4.2 Right to Erasure

Users can request the erasure of their personal data under certain circumstances, such as withdrawal of consent or if the data is no longer necessary for the purposes it was collected.

4.3 Right to Data Portability

Users have the right to receive their personal data in a structured, commonly used, and machine-readable format and to transmit it to another data controller, where technically feasible.

4.4 Right to Restriction of Processing

Users can request the restriction of processing their personal data under specific circumstances, such as the accuracy of the data being contested or unlawful processing.

4.5 Right to Object

Users have the right to object to the processing of their personal data based on legitimate interests. The Website will cease processing the data, unless compelling legitimate grounds override the individual's interests, rights, and freedoms.

4.6 Right to Withdraw Consent

Where personal data processing is based on user consent, individuals have the right to withdraw their consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Data Security

5.1 Confidentiality and Integrity

The Website employs technical and organizational measures to ensure the confidentiality, integrity, and availability of personal data. These measures include encryption, access controls, regular security assessments, and staff training on data protection.

5.2 Data Breach Response

In the event of a data breach that may pose a risk to individuals' rights and freedoms, the Website will promptly notify the relevant supervisory authority and affected individuals, as required by applicable laws and regulations.

Data Transfers

6.1 Transfers within the EU/EEA

The Website may transfer personal data to other countries within the European Union (EU) or European Economic Area (EEA) without additional safeguards, as these countries are considered to provide an adequate level of data protection.

6.2 Transfers outside the EU/EEA

If personal data is transferred outside the EU/EEA, the Website will ensure appropriate safeguards are in place, such as using standard contractual clauses or relying on an adequacy decision by the European Commission.

Third-Party Processors

7.1 Data Processors

The Website may engage third-party data processors for specific purposes, such as payment processing or order fulfilment. These processors will be carefully selected and required to comply with GDPR requirements and provide sufficient guarantees regarding data protection.

Privacy by Design and Default

8.1 Privacy Impact Assessments

The Website will conduct privacy impact assessments (PIAs) to assess the potential risks and impacts on individual privacy when developing new systems or processing personal data in a new way.

8.2 Privacy by Default

Privacy-enhancing measures, such as minimizing the collection of personal data and providing granular privacy options, will be implemented by default to ensure users have maximum control over their personal information.

Compliance and Training

9.1 Data Protection Officer (DPO)

The Website has appointed a Data Protection Officer responsible for overseeing data protection and privacy matters. Users can contact the DPO regarding any concerns or questions related to their personal data.

9.2 Staff Training

All employees and contractors who handle personal data will receive appropriate training on data protection and privacy best practices, as well as their obligations under GDPR.

Policy Review

This Data Protection Policy will be reviewed regularly to ensure its continued relevance and compliance with legal requirements. Any necessary updates will be made and communicated accordingly.

Contact information

For any inquiries or concerns related to this Data Protection Policy, users can contact the Website's Data Protection Officer at the following address:

Turan Yilmaz,

turan.yilmaz@surya.com

Surya B.V.Stationslpein 8 K,

Maastricht Limburg (NL) 6221 BT, Netherlands