Data Protection Notice
- Controller’s details
The sole trader under the trade name “Inspiration Box” with registered seat at Saronikou 21, Kallithea, zip code 17673 (tel. 6909611866, e-mail: info@inspirationbox.shop) (hereinafter the “Business”) hereby informs you, as the Data Controller, in accordance with Regulation (EU) 2016/679 (hereinafter referred to as the “GDPR”) and the relevant provisions of Hellenic legislation on the protection of personal data, as applicable, on the type of personal data collected, the source of their collection, the reason for their collection and processing, any recipients thereof, their period of retention, any transfer outside the EEA and your rights in relation to the processing of your personal data.
- Data Processing Cycle
B1. Personal data we process in the context of operating the platform (e-shop)
Personal Data Categories | Purpose | Legal Basis | Retention Period | Recipients |
Identification data (e.g. name, surname) | Provision of retail trade services, including e-shop services. | Article 6 para. 1 (b) GDPR – Performance of our contract | Until expiry of the relevant limitation period (Article 249 of the Hellenic Civil Code) | Data Processors:
· Accounting service providers, · providers of IT support services, · providers of hosting services, cloud providers, · providers of product and service promotion services. Financial institutions, to the extent necessary for the execution of transactions
Tax authorities, in accordance with applicable tax legislation
Transport/courier companies for the delivery of your orders
Lawyers, in so far as this is necessary for the exercise of the rights of the Business and the protection of its legitimate interests |
Contact data (e.g. postal and e-mail address, telephone number) | ||||
Payment details (e.g. credit cards, redemptions/ debts) | ||||
Billing details[1] (e.g. tax identification number, tax office) | Product billing | Article 6 para. 1 (c) GDPR in conjunction with the relevant tax legislation | ||
Transaction details (transaction history etc.) | Maintainance of order history | Article 6 para. 1 (f) GDPR | ||
Contact details (your email address) | Direct promotional activities via electronic means | Article 6 para. 1 (a) GDPR & Article 11 par. 1 of the Law 3471/2006 / Article 6 para. 1 (f) GDPR & Article 11 par. 3 of the Law 3471/2006 | Until the expiry of the limitation period following the withdrawal of your consent/ until you object to the processing of your data | Providers of product and service promotional services |
B2: Personal data we process in the context of operating a CCTV system
Personal Data Categories | Purpose | Legal Basis | Retention Period | Recipients |
Image and video data | Security | Article 6 para. 1 (f) GDPR – Our legitimate interest in the security of our property and employee safety | 15 days
1 month in the event of an incident
3 months in the event of an incident involving a third party | · The competent judicial, prosecutorial and police authorities, should information be necessary for the investigation of a criminal offence involving persons or property of the Controller, · the competent judicial, prosecutorial and police authorities, should they lawfully request data in the performance of their duties, · the victim or the offender, should the data constitute evidence of a criminal offence. |
B3: Personal data we process in the context of evaluating candidate employees
Personal Data Categories | Purpose | Legal Basis | Retention Period | Recipients |
Identification details (full name, father’s name, mother’s name, gender, date of birth, ID number/passport number) | Assessment of the candidate for recruitment purposes | Article 6 para. 1 (f) GDPR – Our legitimate interest in the recruitment of qualified personnel | 6 months or for a greater period subject to your consent | Data Processors: · providers of IT support services · providers of hosting services, cloud providers · providers of product and service promotion services |
Contact data (postal and e-mail address, telephone number) | ||||
Data contained in CVs (marital status, disabilities, education and qualifications data, work experience) |
B4. Vendor data (natural persons)
Personal Data Categories | Purpose | Legal Basis | Retention Period | Recipients |
Identification details (full name, father’s name, mother’s name, gender, date of birth, ID number/passport number) | Supply of goods and/or services to the Business | Article 6 para. 1 (b) GDPR – Performance of the contract | 5 or 20 years based on the respective limitation periods of Articles 250 and 249 of the Hellenic Civil Code | Data Processors: · Accounting service providers, · providers of IT support services · providers of hosting services, cloud providers · providers of product and service promotion services
Financial institutions, to the extent necessary for the execution of transactions |
Contact data (postal and e-mail address, telephone number) | ||||
Transaction data (invoices, tax forms, etc.) | Compliance with relevant obligations under tax law | Article 6 para. 1 (c) GDPR – Compliance with legal obligation |
*No automated decision-making processing operation, including profiling is conducted.
Data we collect automatically e.g. language settings, IP address, location, device settings, device operating system, activity details, time of use, redirect URL, status report, user information (information about browser version), operating system, browsing result (simple visitor or registered customer), browsing history. We may also collect data through cookies. For information on the use of cookies, click here.
- Transfer of data outside the EEA
The Business does not transfer your personal data to third countries. In the event of a transfer of your personal data to a country outside the European Economic Area (EEA), the legal basis for any processing of your personal data is Article 49 para. 1(b) of the GDPR.
- What rights do you have in relation to your data and how to exercise them
As clients of the Business you have several rights, in accordance with the provisions of Articles 15-22 of the GDPR, in relation to your personal data, which are processed by the Business.
The table below lists your rights per processing purpose and corresponding legal basis. In this table you will find detailed information (concept, method and time limits) and form for the exercise of each right.
If you wish to exercise a right or acquire any information concerning the process of your personal data, communicate it via email to the following address info@inspirationbox.shop. It is noted that in case there are reasonable doubts concerning the identity of the data subject, we might request the provision of additional information necessary to confirm the identity.
| ΔΙΚΑΙΩΜΑΤΑ | ||||||||
Access (15)
| Rectification (16)
| Erasure (17)
| Restriction (18)
| Portability (20)
| Objection (21) | Objection and human intervention in automated decisions (22)
| Withdrawal of consent (7.3) | ||
Provision of retail trade services, including e-shop services. (identification and contact data) | Performance of a contract [Article 6 (1)(b) GDPR] | Χ | Χ | Χ | Χ | Χ |
|
|
|
Product billing | Compliance with legal obligation [Article 6 (1)(c) GDPR] + tax legislation | Χ | Χ |
| Χ |
|
|
|
|
Promotion of goods to customers via electronic means | Overriding legitimate interest [Article 6 (1)(f) GDPR] + Law 3471/2006 11.3 | Χ | Χ | Χ | Χ |
| Χ | Χ |
|
CCTV | Overriding legitimate interest [Article 6 (1)(f) GDPR] | Χ | Χ | Χ | Χ |
| Χ |
|
|
Candidate employees | Overriding legitimate interest [Article 6 (1)(f) GDPR] | Χ | Χ | Χ | Χ |
| Χ |
|
|
Vendor data (natural pesons) | Performance of a contract [Article 6 (1)(b) GDPR] | Χ | Χ | Χ | Χ | Χ |
|
|
|
Please note that the Business has the right to refuse, partially or fully, to comply with your request to restrict the processing or erasure of your data, if the processing or retention of your personal data is necessary for the establishment, exercise or support of its legitimate rights or the fulfilment of its legal obligations.
The Business must reply to your request within one (1) month of receipt. This time limit may be extended by a further two months, if necessary, at the discretion of the Business, taking into account the complexity of the request and the number of requests, in which case the Business will inform you within one month of receipt of the extension in question and of the reasons for the delay.
If the Business does not act on your request in the exercise of the above rights or following its reply, you consider that the aforementioned rights have been infringed, you have the possibility to lodge a complaint with the Hellenic Data Protection Authority, 1-3 Kifissias Avenue, 115 23, Athens, https://www.dpa.gr/, tel. 2106475600.
[1] Some of this data is obtained from the Independent Authority for Public Revenue (IAPR).