1. General provisions
principles governing the collection, processing and storage of
personal data. Personal data is collected and processed by the
controller of personal data Naturelovers OÜ (hereinafter data
subject is a customer or other natural person whose personal data is
processed by the data controller.
customer is anyone who purchases goods or services from the data
1.4. The data controller shall follow the principles
of data processing provided by legislation, among other obligations
taken, the data controller shall process personal data legally,
fairly and securely. The data controller is able to confirm that
personal data has been processed in accordance with the legislation.
2. Collection, processing and storage
of personal data
2.1. The personal data that has been collected,
processed and stored by the data controller has been collected
electronically, mainly using the website and e-mail.
2.2. By sharing his personal data, the data subject
gives the data controller the right to collect, organize, use and
manage personal data which the data subject directly or indirectly
shares with the data controller when purchasing goods or services on
the website; the permission is granted for the purposes defined in
2.3. The data subject is responsible for ensuring
that the data provided by him is accurate, correct and complete.
Knowingly providing false information is considered to be a violation
notify the data controller of any changes in the submitted data.
2.4. The data controller shall not be liable for any
damage caused to the data subject or third parties due to the
submission of false data by the data subject.
3. Processing of customers’ personal
3.1. The data controller may process the following
personal data of the data subject:
3.1.1. first and last name;
3.1.2. date of birth;
3.1.3. phone number;
3.1.4. e-mail address;
3.1.5. delivery address;
3.1.6. bank account number;
3.1.7. payment card details.
3.2. In addition to the above, the data
controller has the right to collect data about the customer that is
available in public registers.
3.3. The legal bases for the processing of personal
data are subparagraphs 6 (1) a), b), c) and f) of the General Data
a) the data subject has given consent to the
processing of his or her personal data for one or more specific
b) processing of personal data is necessary for the
performance of a contract to which the data subject is party or in
order to take steps at the request of the data subject prior to
entering into a contract;
c) processing of personal data is necessary for
compliance with a legal obligation to which the controller is
f) processing of personal data is necessary for the
purposes of the legitimate interests pursued by the controller or by
a third party, except where such interests are overridden by the
interests or fundamental rights and freedoms of the data subject
which require protection of personal data, in particular where the
data subject is a child.
3.4. Processing of personal data according to its
3.4.1. Purpose of processing – security and
Maximum period of storing of personal data – according
to the terms specified by law
3.4.2. Purpose of processing – order
Maximum period of storing of personal data –
according to the terms specified
3.4.3. Purpose of processing – ensuring the
operation of online store services
Maximum period of storing of
personal data – 3 months
3.4.4. Purpose of processing – customer
Maximum period of storing of personal data – 3
3.4.5. Purpose of processing – financial
Maximum period of storing of personal
data – according to the terms specified by law
3.4.6. Purpose of processing –
Maximum period of storing of personal data – 24
3.5. The data controller has the right to share the
personal data of customers with third parties, such as authorized
data processors, accountants, transport and courier companies,
companies providing payment services. The data controller is the
controller of personal data. The data controller shall forward the
personal data necessary for making payments to the authorized
processor Maksekeskus AS.
3.6. When processing and storing the personal data of
the data subject, the data controller shall implement organisational
and technical measures to ensure the protection of personal data
against accidental or unlawful destruction, alteration, disclosure
and any other unlawful processing of personal data.
3.7. The data controller shall store the data
of data subjects depending on the purpose of processing data, but not
longer than five years.
4. Rights of the data subject
4.1. The data subject has the right to access and
inspect his personal data.
4.2. The data subject has the right to receive
information about the processing of his personal data.
4.3. The data subject has the right to supplement or
amend inaccurate data.
4.4. If the data controller processes the personal
data of the data subject on the basis of the data subject’s
consent, the data subject has the right to withdraw the consent at
4.5. The data subject can contact the online
store customer support at firstname.lastname@example.org
to exercise his rights.
4.6. The data subject has the opportunity to submit a
complaint to the Data Protection Inspectorate to protect his rights.
5. Final provisions
5.1. These data protection conditions have been drawn
up in accordance with Regulation (EU) No 2016/679 of the European
Parliament and of the Council on the protection of individuals with
regard to the processing of personal data and on the free movement of
such data and repealing Directive 95/46/EC / EC (General Data
Protection Regulation, Personal Data Protection Act of the Republic
of Estonia and the legislation of the Republic of Estonia and the
5.2. The data controller has the right to
change the data protection conditions in part or in full by notifying
the data subjects of the changes via the website