General Information Regarding the Processing of Personal Data
- The data subject – customer / website visitor,
Controller – operating entity that runs the online shop www.stitchspider.com (ZaZeZi s. r. o., Bakošova 4714/1, 841 03 Bratislava, Slovakia, business ID no.: 46 125 329, tax identification no.: 2023253639, not VAT registered) - Personal data recipients – PayPal, Stripe, accounting company.
- Due to the extent and subject of the controller’s activities, the controller does not have an obligation to appoint a data protection officer in regard to § 44 of Act no. 18/2018 Coll. on Personal Data Protection. However, if you have any questions regarding your personal data, you can send us an email at: maria@stitchspider.com, or phone us at: +421 907 436 637.
The entity operating the website is responsible for the processing of personal data according to the regulation of the European Parliament and Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to only as “GDPR”). The data subject has a right to request in writing information on his or her personal data, that are subject to being processed or destructed, or to request rectification of personal data by the controller. - The data subject is required to provide personal data that are truthful and up to date. The rights of the data subject are governed by chapter 3 of GDPR. The data subject has a right to: file a complaint to the supervisory body, object to processing, request access to personal data regarding the data subject from the controller, rectification or erasure or restriction of processing of personal data, as well as the right to data portability.
Guidance on the Data Subject’s Rights
The data subject has a right to request in writing from the controller:
a) confirmation as to whether or not personal data concerning the subject are being processed,
b) information in a generally comprehensible form, about the processing of personal data in the information system in the following scope: the controller’s and processor’s (if appointed) identification data; the purposes for the processing for which the personal data are intended; the list or extent of the personal data being processed; guidance whether the provision of personal data is a voluntary or mandatory requirement, the period for which the consent will be valid or a notification which legal regulation requires the personal data to be provided; third parties if personal data are to be provided to them; the list of recipients, if personal data are to be disclosed to them; the form in which the personal data will be disclosed, if they are to be disclosed; third countries, if a transfer of data to these countries is to occur.
c) information in a generally comprehensible form, about the exact source, from which the controller obtained his or her personal data for processing,
d) a list, in a generally understandable form, of his or her personal data that are subject to being processed,
e) rectification or erasure of incorrect, incomplete or outdated personal data that are subject to being processed,
f) erasure of personal data, no longer necessary in relation to the purposes for which they were processed; if official documents containing personal data are subject to being processed, then you may request their return,
g) erasure of personal data, that are subject to being processed, if a breach of law has occurred,
h) blocking of his or her personal data due to consent withdrawal before the period for which the consent is to be valid has run out, if the controller is processing personal data based on said consent. This request or information that personal data have been leaked or any other serious matters regarding the processing of personal data by the controller may be addressed to the controller at the aforementioned address or at the phone no. : +421 907 436 637, or by email at: maria@stitchspider.com.
Right of Access to Personal Data
As the data subject you have a right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed. If the controller is processing your personal data, you have a right to obtain access to them; you also have a right to further information on the purpose for which your personal data is being processed; the category of the processed personal data, information about those, to whom your personal data will be or has been disclosed, if possible, in particular about recipients in third countries or an international organization if the personal data are being transferred to a third country or an international organization, you have a right to be informed about the legally binding appropriate safeguards, the period for which the personal data are to be stored; if it is not possible, information on the criteria of its appointment, the right to request correction of your personal data, their erasure or limitation of their processing or about the right to object to the processing of personal data, the right to file a motion for initiating proceedings regarding personal data protection, the source of personal data, if the personal data haven’t been obtained from you, the existence of automated individual decision making, including profiling. Profiling is any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a person, in particular concerning performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements). In such cases, the controller will provide the data subject with information in particular regarding the process used, as well as the purpose for such processing of personal data and the estimated consequences for the data subject. The controller is required to provide you with your personal data that he is processing. If the personal data are to be provided repeatedly, the controller may request an appropriate administrative handling fee. The controller is required to provide you with your personal data in the form requested by you. The right to obtain personal data cannot have negative consequence on the rights of others.
Right to Rectification of Personal Data
As the data subject you have a right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning yourself. Taking into account the purpose for the processing of personal data, you have the right to have your incomplete personal data completed.
Right to Object to Processing of Personal Data
You have the right to object, on grounds relating to your particular situation, to processing of personal data, if the controller uses profiling or when your personal data is being processed according to this legal basis:
- Processing of personal data is necessary for the performance of a task carried out for reasons of public interest or in the exercise of official authority vested in the controller
- Processing of personal data is necessary for the purpose of justifiable interests of the controller or a third party. The controller can no longer process your personal data, unless demonstrating compelling legitimate grounds for the processing of personal data which override your rights or interests or reasons to exercise legal rights. You have the right to object processing of personal data concerning yourself for direct marketing purposes, including profiling, to the extent that it is related to such direct marketing. When you object to processing of personal data for direct marketing purposes, the personal data shall no longer be processed by the controller for such purposes. Where personal data are processed for scientific or historical research purposes or statistical purposes, you have the right to object, on grounds relating to your particular situation, to processing of personal data concerning yourself, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
Right to Erasure of Personal Data
As the data subject you have the right to obtain from the controller the erasure of personal data concerning yourself without undue delay. When you request the controller to erase your personal data, the controller has the obligation to erase them in the following cases:
- the personal data are no longer necessary in relation to the purpose, for which they were collected or otherwise processed,
- you withdraw consent on which the processing of your personal data by the controller is based, and where there is no other legal ground for the processing of personal data,
- you will object to the processing of your personal data and there are no overriding legitimate grounds for the processing of personal data, or you will object to the processing of personal data for the purposes of direct marketing including profiling in the scope that it is related to such direct marketing,
- the personal data are being unlawfully processed,
- the personal data have to be erased for compliance with a legal obligation,
- the personal data have been collected in relation to the offer of information society services referred to in § 15 (1) of the act. Where the controller has made your personal data public and is obliged pursuant to the aforementioned conditions to erase them, the controller, taking account of available technology and costs, also has the obligation to inform other controllers, who are processing your personal data, to erase any links to, or copies or replications of your personal data by such controllers.
The controller does not have the obligation to erase your personal data if they are necessary:
a) for exercising the right of freedom of expression and information
b) for compliance with a legal obligation or an international treaty or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller,
c) for reasons of public interest in the area of public health,
d) for archiving purposes, for scientific, or historical research purposes or statistical purposes in so far as the erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
e) for the exercise of legal claims.
Right to Restriction of Processing of Personal Data
You have the right to obtain from the controller restriction of processing of your personal data if:
a) you are contesting the accuracy of your personal data, for a period enabling the controller to verify their accuracy,
b) the processing of your personal data is unlawful and as opposed to their erasure you request the restriction of their use instead,
c) the controller no longer needs the personal data for the purposes of personal data processing, but they are required by you for the exercise of legal claims, or,
d) you object to processing of personal data;
e) the controller shall restrict the processing of your personal data pending the verification whether the legitimate grounds of the controller override yours. Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the exercise of legal claims, the protection of the rights of others or for reasons of public interest. The controller has an obligation to inform you before the restriction of processing of personal data is lifted.
Notification Obligation Regarding Rectification, Erasure or Restriction of Processing of Personal Data
The controller has an obligation to communicate any rectification, erasure or restriction of processing of your personal data to the recipient (anyone to whom the personal data have been disclosed), unless this proves impossible or involves disproportionate effort. The controller shall inform you about those recipients if you request it.
Right to Personal Data Portability
You have the right to receive the personal data concerning yourself, which you have provided to a controller, in a structured, commonly used and machine-readable format. At the same time, you have the right to transmit these data to another controller, if technically feasible, and if the processing of your personal data is carried out by automated means (i.e. in electronic form), wherein the personal data are being processed either:
a) based on your consent,
b) or if they are necessary for the fulfillment of a contract, to which you are a party of, or for performing measures before a contract is concluded based on your request. This right shall not adversely affect the rights of others. Exercising the right to portability does not affect the right to erasure of personal data. The right to portability shall not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Right to File a Motion for Initiating Proceedings Regarding Personal Data Protection
In case your legal rights on the protection of personal data have been directly affected, you have a right, based on § 100 of this act, to file a motion for initiating proceedings regarding personal data protection with the Office for Personal Data Protection of the Slovak Republic. The purpose of the proceedings is to determine whether in processing the personal data of a physical person an infringement of his or her rights has occurred, or whether an infringement of law has occurred and in case of findings, if justifiable and effective, to determine corrective measures, conceivably impose a fine for law infringement. The motion template is published by the Office on its website. The motion for initiating proceedings must include evidence to support the claims listed in the motion and a copy of a document or any other evidence proving the exercise of the rights with the controller (the right of access to personal data, the right to request rectification of personal data, the right to erasure or restriction of processing of personal data, the right to object to processing of personal data, the right to data portability), if the data subject has exercised given rights, or a list of reasons worthy of individual consideration on why the subject rights haven’t been exercised.
The aforementioned rights (except the right to file a motion for initiating proceedings regarding personal data protection) can be exercised with the controller, who is conducting monitoring over the processing of personal data, by email or in writing by post. Information that personal data has been leaked or any other serious matters regarding the processing of personal data by the controller may also be addressed to the controller.
In suspecting that his or her personal data are being unlawfully processed, the data subject may file a motion for initiating proceedings regarding personal data protection with the Office for Personal Data Protection of the Slovak Republic seated at Hraničná 12, 820 07 Bratislava 27, Slovak Republic, or contact the office by means of its website http://www.dataprotection.gov.sk.
If the data subject is not fully legally competent, his or her rights may be exercised by his or her legal representative. If the data subject is not alive, his or her rights established according to this law, may be exercised by a close relative.
The request of the data subject, according to the act on the protection of personal data, shall be processed by the controller free of charge, except for payments in the amount, that may not exceed the amount of objectively incurred factual costs associated with making copies or providing technical carriers and delivering information to the data subject, unless a separate act does not stipulate otherwise. The controller has an obligation to process the data subject’s requests in writing no later than 30 days from the date that the request was delivered. The restriction of the rights of the data subject according to the act on the protection of personal data shall be communicated by the controller in writing without undue delay to the data subject and the Office for Personal Data Protection of the Slovak Republic.
Thus, the controller has informed you, as the data subject, about the protection of your personal data and has informed you about your rights in relation to the protection of personal data within the scope of this written informational obligation.
Processing of Personal Data for the Purpose of Completing an Order
- The purpose for processing of personal data: issuing a tax receipt, contacting the consumer regarding an order, fulfilling a contract, processing of a claim in regard to liability for defects of sold products – as ensuing from the fulfillment of a contract.
- Legal basis for processing of personal data:
a) Processing of personal data (name, surname, title, street and house number, ZIP code, city) is necessary under a specific regulation or an international treaty, that is binding for the Slovak Republic. Particularly, in accordance with the Act No. 222/2004 Coll. on Value Added Tax.
b) Processing of personal data (email, telephone number) is necessary for the fulfillment of a contract. - Period for personal data retention – 5 years.
Processing of Personal Data for the Purpose of Delivering Marketing Information
The aforementioned general information is also valid for the processing of personal data for the purpose of delivering marketing information, and in addition:
- The purpose for processing of personal data: delivering marketing information.
- Legal basis for processing of personal data: Art. (6) (1) (a) GDPR – the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
- Period for personal data retention – 5 years.
Processing of Personal Data for the Purpose of Processing Cookies
The aforementioned general information is also valid for the processing of personal data for the purpose of processing cookies, and in addition:
- The purpose for processing of personal data: provision of services, sale of products via eshop, visitor analysis using Google Analytics and Google Search Console, Facebook.
Cookies are small amounts of data that are sent by the servers to the browser. The browser stores them on the user’s computer. The browser then sends the data back to the server with each next visit to the website. - Legal basis for processing of personal data: Art. (6) (1) (a) GDPR – the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
- Period for personal data retention – the cookie files used on our website can be divided into two basic types according to their storage duration. Short-term, or so called „session cookies“, which are only temporary and are stored on your browser only until you close it, and long-term, or so called „persistent cookies“, which remain stored on your device for a longer period or until you manually remove them, in which the period for cookie file retention in your browser is dependent from the settings of the individual cookie and the settings of your browser.
Automated Individual Decision-making, Including Profiling
The data subject has a right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
Conditions and Means of Processing Personal Data of Data Subjects
The controller processes the personal data of data subjects in the controller’s information systems through automated and un-automated processing means. The controller shall not disclose the processed personal data, unless requested under a specific data regulation or a judicial decision or a decision of another public authority. The controller shall not process your personal data for other purposes, or within a larger scope than is listed in this information and in evidence files of the controller’s individual information systems, without your explicit consent or without accordance to other legal basis.
Automated Individual Decision-making, Including Profiling Cookies
For the purpose of monitoring of the controller’s websites, the controller uses an analytical tool, that prepares a data chain and tracks how the visitors are using the sites on the internet. When a person is browsing a site, the system generates cookies in order to track information regarding the visit (the pages visited, the time spent on our sites, browsing of information, site abandon, etc.), but these data cannot be matched to the respective person visiting the site. This tool is a tool for improving the ergonomic design of the website, for creating a user-friendly website and for improving the online experience of the users. Most internet browsers accept cookies, but visitors have an option to delete them or to automatically reject them. Because the browsers differ, each visitor can set his or her own preferences regarding cookies individually using the browser’s tools control panel. If you decide not to accept cookies, you will not be able to use certain functions of our website.
| Cookie type | Use | Cookie storage duration |
| Unconditionally required/basic | Needed for the most important/basic functions /of the website, enabling the correct operation of the website
|
1 year |
| Functional |
|
Upon leaving the site |
| Performance cookies and cookies for targeting – analytical cookies | use of third party analytical tools (Google Analytics and Google Search Console) for quality improvement – analytical cookies for the site visitors
|
Erased automatically after 2 years since your last visit to the website |
| Sharing and use across social networks |
|
Erased automatically after 2 years since your last visit to the website |
| Display quality | built in cookies, that enhance the performance for faster content download and support compatibility | Erased upon closing the browser |
| Site owner | according to the given site settings
|
1 year |
The controller uses the Google AdWords marketing tool, which enables the controller to create online advertising and address people in the exact moment when they are interested in the products or services that the controller provides. The Remarketing or Similar audiences functions in AdWords enable us to address people who have visited our websites in the past. They enable the display of advertising in search, on YouTube and in emails. Dynamic remarketing enables us to show users advertising for products or services that they have browsed in the past. The site visitors can disable the cookies, providing remarketing codes, in the appropriate browser settings.
The controller can also be contacted through Facebook. The purpose for data processing is to share the content from the controller’s websites, and the controller’s self-promotion. The visitors can learn through the Facebook site about the controller’s news, current special offers, as well as browse the photos of the controller’s featured commissions. By clicking “like” on the controller’s Facebook site, the subjects give consent to the controller to display the controller’s news and offers on their Facebook wall. On the controller’s Facebook site, the controller also publishes photos/videos from various events.
The controller discloses these data of natural persons only in case, that he has obtained their prior written consent. Further information on processing of data from the Facebook site can be found in the personal data protection guide and rules on www.facebook.com. For promotion purposes, the controller also has a profile on the Instagram social network, where the controller presents photos of featured commissions together with captions. By clicking “follow”, you agree to have the controller’s photographs displayed for you.
