- Right to be forgotten (Clause 7.6.)
- Right to be receive your personal data (Clause 7.2. and 7.3.)
- Right to object to personal data processing (Clause 7.4.)
- Right to be informed about data breaches (Clause 12)
- Unless the context requires otherwise, terms specified below shall have the indicated meanings:
Data Controller or Ownposter – means a limited company incorporated under the laws of the Republic of Lithuania. contact e-mail: [email protected]; website: www.ownposter.com.
Personal Data – means any information relating to any natural person which would allow the person to be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing – means any operation or set of operations which is performed on Personal data such as: collecting, recording, organizing, storing, classifying, grouping, combining, altering (supplementing or correcting), transferring, publishing, using, logical and (or) arithmetical operations, searching, disseminating, destructing or other operation or set of operations.
Data Processor – means natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller.
Profiling – means any form of automated processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to a natural person.
Direct Marketing – means the activity of offering goods or services to Data Subjects by email, post mail, phone or other means of direct contact.
Goods – means any goods sold via the Website.
Data Subject – means a natural person who use the Website and/or buy Services from the Data Controller.
Website – means an internet site that goes by address of https://ownposter.com.
Third Party – means natural or legal person who is authorized to perform any Processing actions by Data Controller in accordance to a service agreement entered between the Third Party and Data Controller. Specifically, such Third Party may be providing legal, accounting, hosting or other services that would require revealing any Personal Data to the service provider.
- general provisions
- Ownposter only Process Personal Data which is provided by the Data Subject in order to execute transactions of sale of Goods with the users and execute all payment procedures for such transactions. Ownposter does not collect any Personal Data own its own will without the Consent of the Data Subject.
- Ownposter Process Personal Data only for the following purposes:
- Executing transactions for sale of Goods with Data Subjects in accordance to Terms of Service found on the Website;
- making Websites content more relevant to Data Subject and ensuring smooth operation of the Website (by using Cookies);
- for fulfilment of Data Processor’s duties set by laws;
- for contacting Data Subject for Direct Marketing purposes;
- Ownposter Process Personal Data only if at least one of the preceding conditions exist:
- If the Data Subject is buying any goods from Ownposter;
- Data Subject has expressed Consent regarding Processing of his/hers Personal Data;
- Personal Data Processing is mandatory by laws applicable to Data Processor.
- Ownposter Process Personal Data in accordance to the following principles of data processing:
- Personal Data shall be Processed accurately and conscientiously;
- Personal Data may be constantly updated;
- Personal Data shall not be stored longer than it is necessary;
- Data Subjects Personal Data shall be considered to be confidential and protected by the Data Processor from unlawful use.
- personal data processing
- Ownposter Process Personal Data by manual and automated means.
- name and last name;
- E-mail address;
- Delivery Address;
- Telephone number;
- Credit card, used for payment, details.
- Ownposter does not store any credit card details of any Data subjects, however we do transfer this information directly to payments processors or bank, responsible for collecting payments when a transaction between Data Subject and Ownposter is made.
- Ownposter receive and collect Personal Data in the following ways:
- Directly from Data Subjects, when they provide information during their purchase on the Website;
- Directly from Data Subjects, when Personal Data is captured by Cookies used on the Website;
- Ownposter Process Personal Data only when it is necessary for carrying out its obligations to Data Subject in accordance to the Terms of Service or with the Consent of Data Subject.
- Ownposter do not Process any Personal Data of Data Subjects who would be under the age of 16. Data Subjects under age of 16 may use the Services and provide their Personal Data to Data Processor only with a written and e-signed Consent of their parents or guardians.
- personal data and third parties
- Ownposter do not exchange or share any Personal Data with any Third Parties which does not have an establishment in any Member State of European Union, except such Third Parties which are not established in the European Union but carries its activities in the European Union and are fully compliant with the requirements of EU General Data Protection Rules (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016).
- Ownposter transfer Personal Data for Processing only to those Data Processors or Third Parties who are entitled to provide services to Ownposter by an agreement signed between the service provider and Ownposter. In all cases when transferring Personal Data to Third Parties Ownposter shall ensure that Data Processor or other subject receiving Personal Data is capable of ensuring appropriate Personal Data protection in accordance to the requirements of applicable laws.
- Ownposter transfer Personal Data only in such extent which is the least possible scope of Personal Data that is necessary to provide in order to carry out obligations set by service agreements between Data Processors and Ownposter.
- Ownposter may transfer Personal Data to the following groups of Data Processors or Third Parties:
- Payment processing subjects (banks; e-payment processors; etc.);
- Service providers (server hosting; software development support; data analysts; marketing specialists);
- Administrative service providers (lawyers; accountants);
- Authorities which have the right to receive Personal Data by law and which have provided a document issued and valid in accordance with the procedures established by laws of the Republic of Lithuania, which undoubtedly confirms the right of the recipient of the data to collect and Process Personal Data.
- terms for storing personal data
- Ownposter Process Personal Data as long as:
- While processing a transaction via the Website and shipping the Goods;
- Ownposter may exercise their rights or obligations set by laws for which Personal Data is necessary;
- Data Subject’s Consent is valid and not cancelled by the Data Subject.
- In other cases the Personal Data may be stored and Processed for no longer than 24 months after the last purchase of Goods; or Data Subject’s activity on the Website; cancelling of Consent. If the Personal Data of the specific Data Subject become irrelevant to Ownposter prior the 24 months term specified in this Clause, Ownposter may erase the Personal Data before the end of 24 months term.
- If Data Subject request Ownposter to permanently delete all of it’s Personal Data provided to Ownposter (right to be forgotten), such request will be fulfilled within 20 days from receiving and Ownposter shall delete all Personal Data of the Data Subject who has provided the request. However, Ownposter may hold the execution of such request or refuse to permanently delete all Personal Data, if Personal Data requested to be deleted are necessary for Ownposter in order to exercise its’ rights or obligations imposed by laws.
- Impersonalized and aggregated Personal Data, i.e. such data that does not allow to identify a specific Data Subject, as well as other data that cannot be linked to any specific person, may for statistical purposes be stored in Ownposter database for indefinite term, depending on the needs of Ownposter.
- Data subjects rights
- Data Subjects has the following rights:
- To receive full information about Personal Data Processed by Ownposter;
- To receive in regular computer readable form all copies of Personal Data which he has provided to Ownposter;
- Demand for amendment, deletion or limitation of the scope of Personal Data Processed by Ownposter;
- Demand to stop all Processing actions which involve Personal Data of the Data Subject;
- Cancel his/hers Consent for Personal Data Processing;
- Demand for permanent deletion of all Personal Data Processed by Ownposter (right to be forgotten).
- Data Subject shall have the right at any time to address Ownposter with a request regarding providing the information about Data Subject’s Personal Data being processed. Upon the request of the Data Subject, Ownposter, by post mail or e-mail, within 20 calendar days provide the Data Subject with Personal Data he requested and which is in Ownposter possession.
- Data Subject when exercising his right to receive all Personal Data provided by him to Ownposter, shall be provided with the Personal Data in a systematized, regular and widely used computer-readable format (pdf). This data shall be provided to the Data subject free of charge once in 6 months. If Data Subject requests for information more frequently, such request may be subject to additional charges.
- Data Subject shall have the right to claim the rectification of false, incomplete and/or inaccurate Personal Data of his and/or suspend Processing of such data, provided that the Data Subject determines that his Personal Data is false, incomplete and/or inaccurate and Data Subject cannot rectify such data himself, or if he determines that Personal Data is processed unlawfully and not in a good faith.
- Data subject shall have the right to object to Personal Data Processing for the purposes of Direct Marketing. The right to object can be exercised by notifying Ownposter by e-mail or in the preferences of Data Subject’s Profile.
- Data Subject has the right to object the Personal Data processing and/or to request the erasure of Personal data (the right to be forgotten). Once received the request of the Data subject for the erasure of all of his Personal data Ownposter shall within 20 calendar days destroy all Personal Data of the Data subject and delete the Data Subject’s Profile on the Website.
- Ownposter has the right to refuse to comply with Data Subject’s request for the erasure of the Personal Data or restriction of Processing of Personal Data, if it cannot terminate Personal Data Processing and erase Personal Data due to obligations set in the applicable laws or due to lawful instructions of relevant authorities.
- Data Subject can exercise all of his rights established in these Rules by notifying Ownposter via regular post mail or email: [email protected]). Data Subject together with his request should provide a copy of personal identity document which would allow Ownposter to identify the Data Subject. If Data Subject does not provide his personal identity document, Ownposter may refuse to consider the request. In some cases, requests may be denied if the Personal Data can’t be erased or stopped Processing due to legitimate interests of Ownposter and/or specific obligations set to Ownposter by applicable laws.
- Ownposter ensure all other rights, guarantees and interests of the Data Subjects which are provided by applicable laws.
- Direct Marketing
- Ownposter may use Data Subjects email address and phone number for Direct Marketing purposes in form of informational emails and newsletters.
- Data Subject may restrict Personal Data use for Direct Marketing by expressing his withdraw of Consent for Personal Data use for Direct Marketing at any time. Ownposter stop using Personal Data for Direct Marketing purposes immediately after receiving Data Subjects withdrawal of Consent.
- Ownposter use following Cookies:
- Processing related cookies. Ownposter Website offers e-commerce or payment facilities and some Cookies are essential to ensure that your order is remembered between pages so that Ownposter can process it properly.
- Forms related Cookies. In order to provide Data Subjects with a great experience on the Website Ownposter provide the functionality to set your preferences for how this site runs when you use it. In order to remember your preferences we need to set Cookies so that this information can be called whenever you interact with a page is affected by your preferences.
- Google Analytics – this Cookie is an analytic solution for helping Ownposter to understand how the Website users use the Website and ways that Ownposter could improve user experience;
- Google AdSense – this Cookie is used to serve advertising that would be more relevant to Data Subjects across the web and limit the number of times that a given ad is shown to Data Subject.
- Affiliate tracking Cookies which allow Ownposter to see if a customer have come to the website through one of its affiliate partners sites or links;
- OPEND Advertising Technology Cookies – these Cookies allow to send targeted advertising communications to the Data Subjects. However no Personal Data which would allow to identify a specific Data Subject as a person, is transferred via OPENED Cookies.
- Personal data protection implementation measures
- Ownposter implement appropriate organizational and technical measures in order to protect Personal Data from accidental or unlawful destruction, alteration, disclosure and any other unlawful processing. To ensure Personal Data protection Ownposter implement or intend to implement the following Personal data protection measures:
- Administrative (secure processing of documents and computer data and their archiving, as well as regulating the organization of work for different areas of activity, introducing personnel to the requirements of Personal data security before and after employment or in similar relations and etc.);
- Hardware and software security (administration of servers, information systems and databases, maintenance of working areas and Ownposter premises, maintaining the security standards for the servers where databases are stored and etc.);
- Communications and computer network protection (common use data, programs, firewalling) and etc.
- Ownposter store all Personal Data in the data storage servers of “Google Cloud Storage” or other secured remote servers. Ownposter ensure that the security of the remote server where Personal Data is stored is secured by the following measures:
- Access to data cache where Personal Data is stored is accessible with the use of two-factor authentication technology, where the person logging in has to submit his unique password and additionally confirm his identity by using other device attributed only to him (i.e., electronic signature). Access to server data is granted only to Ownposter employees or authorized persons;
- All Personal Data kept in servers or data storage devices are encrypted;
- Personal Data backups are performed periodically, every 24 hours;
- Servers keeps record of all login and data Processing operations history;
- Ownposter use only those remote server service providers who can ensure appropriate compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 regarding General Data Protection Rules and can provide evidence proving that.
- All Personal data processed by Ownposter which is in non-digital form (i.e. in the form of material documents), is stored in accordance with the following security rules:
- Documents containing Personal Data are handed over only to those Ownposter employees who require said documents for carrying out their job functions or carrying out specific tasks that involve the use of Personal Data;
- Documents containing Personal Data in no case can be stored in the premises of Ownposter that are intended for common use or premises which have unrestricted access;
- Ownposter employees or authorized persons may not, in any case, leave the documents containing Personal Data in a single room with other persons who are not mandated by Ownposter to perform Personal Data Processing actions;
- Ownposter employees are not permitted to remove the documents from Ownposter premises, which contain Personal Data or copies of such data, unless it is necessary for the proper performance of job functions or for carrying out Ownposter obligations set by existing contracts.
- Ownposter personnel, who process Personal Data, may only perform Personal Data processing actions using the computers or intelligent devices, which are owned by Ownposter and are intended for performing work related tasks, and which have licensed and secure software installed in them. All of the computers or intelligent devices, used for Personal Data Processing by Ownposter employees, must be protected by passwords which must be changed at least once in every 3 months and must consist of a combination of at least 8 symbols with lower case and upper case letters and numbers.
- Ownposter perform testing of managed IT systems, including databases, which test reliability, resistance to overload, resistance to cyber-attack, viruses and other threats to system reliability of Ownposter servers and information systems at least once a year. During the testing of Ownposter controlled systems, Personal Data of actual Data Subjects are not used.
- personal data of children
- The processing of the Personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that Consent is given by the holder of parental responsibility over the child.
- Ownposter Process the Personal Data of children younger than 16 years old only where the Consent is given by the holder of parental responsibility over the child in an appropriate form, as it is provided under the provisions of applicable laws.
- If Ownposter determines that the Data Subject, who is under 16 years old, has submitted Personal Data without the Consent of the holder of parental responsibility over the child or by indicating the wrong age, Ownposter, from the moment that such information is discovered, will take reasonable steps to immediately erase the Personal Data of this Data Subject. In such case, Ownposter may delete the Data Subjects Profile.
- data protection incidents
- Personal data security breach – means an act or omission that results or may result in undesirable consequences as well as are in conflict with the stipulations provided by the legislation regarding Personal Data security. The degree of impact, damage and the consequences of Personal data protection breach in each case shall be determined by the Ownposter or by a commission established by its authorized person.
- In the event of Personal data security breach, Ownposter shall immediately, but no later than within 48 hours of becoming aware of Personal Data security breach, notify the State data protection inspectorate and the Data Subjects whose Personal Data has been breached. Ownposter may not inform Data Subjects about Personal Data security breach if such breach of Personal Data security does not pose any real risk to the rights and freedoms of the Data subjects.
- In cases where the breach of Personal Data protection is not due to force majeure cases (lightning, flood, fire and etc.) and is a direct consequence of human action, from the moment Ownposter becomes aware of the breach of Personal Data protection, it shall immediately notify the relevant law enforcement authorities regarding possible criminal offence committed.
- Final provisions