Your privacy is very important to us. We handle all Personal Data in accordance with the GDPR and any subordinate legislation and regulation implementing the GDPR and/or SCC which may apply (in accordance with the principle of accountability). We never share your Personal Data with unauthorized third-parties and we never sell or trade any Personal Data.
User: A person that visits the Website.
Customer: a person that purchases a product through the Website.
GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
SCC: Commission implementing decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
PERSONAL DATA CONTROLLER
Custom Poster Club is the Personal Data Controller regarding all Processing of Personal Data that is performed by Custom Poster Club or on behalf of Custom Poster Club, and is responsible for ensuring that the Processing takes place in accordance with the GDPR (according to the principle of liability).
WHY WE PROCESS PERSONAL DATA
According to the principle of purpose limitation, we may only Process Personal Data for special, explicitly stated and justified purposes.
The main purposes of our Processing of Personal Data are to:
- provide our services,
- deliver purchased products to the Customer,
- improve and develop our services and the Website,
- fulfill our obligations under agreements, and
- fulfill our legal obligations under applicable law.
HOW WE RECEIVE PERSONAL DATA
We receive Personal Data that Users provide to us when the User registers a User account on the Website, register to receive any newsletters from us, contacts us, makes a purchase through the Website or conduct other activities on the Website. Personal Data may also be collected automatically, through any third-party applications that are connected to the Website, such as for example Google Analytics.
We may also Process Personal Data that we gain access to through your use of the Website, such as information about which pages or advertisements you click on, how long you use the Website, what you are searching for, etc.
We may also collect purchase history and information about your purchases of our products that we sell through the Website. The Personal Data we receive is Processed carefully and is not shared with unauthorized persons. We do not register more Personal Data than what is adequate, necessary and relevant in order to fulfill the purpose for which it was collected (according to the principle of purpose limitation).
CATEGORIES OF PERSONAL DATA
We mainly Process the following the categories of Personal Data:
Identification information: name.
Contact information: address, shipping address, telephone number and e-mail address.
Demographic information: gender, geographic location, usage data.
Financial information: purchase history, payment history, order history, credits, liabilities.
Other information: IP-address, family members/friends names and date of birth, other Personal Data that is provided to us by the Data Subject, for example when contacting our customer service, or that the User registers on the Website.
INFORMATION ABOUT THE PROCESSING OF PERSONAL DATA AND THE LEGAL BASIS FOR THE PROCESSING
We try to only Process Personal Data that is necessary, adequate and relevant for each individual purpose, in accordance with the principle of purpose limitation and data minimization regarding the storage of Personal Data.
All Processing of Personal Data that we perform is supported by a legal basis (according to the principle of legality, correctness and transparency). You can read more about our Processing of Personal Data and the legal basis for such Processing below.
When you make a purchase through the Website
- When you purchase our products from our Website, we get access to your Personal Data that you register in connection with the purchase. Payment is made through the payment solutions that are integrated on the Website. More information about the terms and conditions regarding purchases through our Website can be read through the following link: LINK.
Categories of Personal Data:
- Order information: Order-ID, invoices, order history, delivery address (e-mail), canceled orders, completed orders. This information is Processed by us every time you place an order. We also Process the data to improve our services. Legal basis: Legitimate interest.
- Payment information: Payment method, pseudonymised credit / debit card information. We need to Process this information in order to be able to track the payments you have made and link them with the orders you have made in order to enable delivery of the order. Legal basis: Contract.
When you contact us
- We Process your Personal Data when you contact us, so that we can know who we are talking to and to be able to help you in the matter. This also applies if you contact us via social media.
- Categories of Personal Data: name, address, telephone number, e-mail, ID from social media (if applicable), message content. Legal basis: Legitimate interest.
When you visit our Website
- Our Website uses Google Analytics, which is a third-party application, that analyzes the User’s activity on the Website. We get access to unidentified usage information about how Users use the Website and all information that is sent to Google Analytics is anonymized. We use Google Analytics in order to improve our services and the Website.
- Categories of Personal Data: Device identification, operating system, operating version, device-ID, access time, configuration settings, IP-address, time zone, country. Legal basis: Legitimate interest.
When you register for any newsletter from us
- You may consent to receive any newsletters from us, through voluntary active approval to the Processing for that purpose. You can cancel your subscription at any time by clicking on the unsubscribe link in the newsletter or email us at: email@example.com.
- Categories of Personal Data: e-mail. Legal basis: Consent.
Other reasons for the Processing of Personal Data
- Legal obligation: We have the right to Process Personal Data if we have a legal obligation to do so, for example according to the Swedish Bookkeeping Act (1999:1078). In such cases, only necessary Personal Data will be Processed for as long as the law requires. Personal Data that is part of any necessary accounting documentation is stored for as long as the law requires.
- Fulfillment of contract: We have the right to Process Personal Data on the legal basis of “Contract”, in order to fulfill our obligations under a contract with the Data Subject.
- Legitimate interests: We have the right to Process Personal Data, based on the legal basis “Legitimate interests”, for example for direct marketing purposes, to Process any necessary Personal Data in order to comply with applicable law, demand payment for a past due claim, report a debt, protect our rights and property or to prevent fraud and other crimes. However, we never process sensitive Personal Data on this legal basis. Data Subjects have the right to object in writing if the Data Subject do not want us to use their Personal Data for direct marketing purposes.
STORAGE OF PERSONAL DATA
Storage location: We strive to store and Process all Personal Data within the EU/EEA (according to the principle of integrity and confidentiality). If we store Personal Data in a country outside of the EU/EEA, the storage location must comply with the provisions of the GDPR and applicable SCC. We shall in such cases also enter into a Data Processing Agreement that is compliant with the regulations stated in the GDPR and applicable SCC.
Storage duration: We store Personal Data as long as it’s needed and necessary to fulfill the purposes for which the Personal Data was collected. If it is necessary for us to comply with applicable legislation, we may store Personal Data for a longer period for that purpose. Personal Data connected to your User Account to the Website, will be stored until your User Account is deleted by you. You may delete your User Account at any time.
Erasure of Personal Data: Personal Data that is no longer needed, will be erased (deleted) (according to the principle of storage limitation). We do not store Personal Data for longer periods than permitted by GDPR. The Website undergoes a daily backup storage. Any erased content / Personal Data may be stored in the systems backup files for up to three (3) months before getting permanently deleted.
SHARING OF PERSONAL DATA
Authorities: We may share Personal Data with relevant authorities to prevent crime, protect and safeguard our interests and rights. We may also share Personal Data if we are obliged by law or authority decision to disclose the Personal Data that we Process.
Sub-processors: When you enter into an agreement with us, you agree that we have the right engage Sub-processors to fulfill the obligations under the agreement between us. We engage Sub-processors as part of the delivery of our services, including to provide the Website and to deliver the purchased products. This means that we may disclose Personal Data to such engaged Sub-processors, to fulfill our obligations under the agreement, applicable legislation, legal obligations, to safeguard our legal interests or to detect and prevent technical or security issues with the Website. For example, we hire a server provider, hosting provider, provider of business systems, email systems, third-party applications and third-party systems, etc. We ensure that the Sub-processors we hire undertake an obligation to handle Personal Data in accordance with the GDPR, by entering into a written Data Processing Agreement with our Sub-processors.
If a Sub-processor is located in a third country outside of the EU/EES, we shall ensure that there is a legal basis for such a transfer and that the Sub-processor undertake to apply adequate protection regarding the disclosed Personal Data as required by applicable law, for example by us entering into applicable SCC and require the Sub-processor to use other appropriate technical and organizational measures in accordance with article 28 GDPR.
If you want more information about the Sub-processors we engage, you may contact us to get information about the Sub-processors that are involved in the Processing of your Personal Data.
YOUR RIGHTS ACCORDING TO GDPR
Data Subjects have the right to:
- have their Personal Data deleted,
- gain access to their Personal Data,
- leave a complaint to a Supervisory Authority,
- have their incorrect Personal Data corrected,
- move their Personal Data (data portability),
- request a restriction on the Processing of their Personal Data,
- object to the use of their Personal Data for direct marketing and profiling,
- receive information about possible Personal Data Breaches concerning their Personal Data.
If you wish to exercise any of your rights under the GDPR, you are welcome to contact our contact person for personal data matters: Andreas Ovefelt, by sending an email to firstname.lastname@example.org. However, some of the rights apply only in certain situations and only if it is legally possible for us to implement your request.
Data protection principles: We work according to the data protection principles (Article 5 GDPR) and ensure that our team-members are aware of the principles. All our activities and security measures are conducted in a manner that ensures compliance with the provisions and requirements of the GDPR regarding adequate protection of Personal Data Processing (according to the principle of integrity and confidentiality).
Technical and organizational security measures: We apply various technical and organizational security measures focusing on the integrity of the Data Subjects and the measures protect against intrusion, abuse, loss, destruction and other changes that may pose a risk to privacy (according to the principle of privacy and confidentiality). We have established internal routines to ensure secure Personal Data Processing and all our internal registers and systems are password protected. Only authorized employees have access to the passwords to our registers that contain Personal Data. In addition, we have established internal routines for the Processing of Personal Data that all employees must follow, to ensure a safe and secure Processing of the Personal Data. Also, in order for us to protect our network and prevent unauthorized access to it, we have web browser certification, use SSL (Secure Socket Layer) for secure data transfer over networks and/or the internet, and we also use appropriate antivirus software and firewalls.
PERSONAL DATA BREACH
Any Personal Data Breach must be reported to the Swedish Authority for Privacy Protection within 72 hours, when required by the GDPR. Data Subjects affected by Personal Data Breach must also be notified, when required by the GDPR. All Personal Data Breaches are documented internally and notified to our contact person for Personal Data matters.
QUESTIONS OR COMPLAINTS