Ensuring the right to the protection of personal data is a fundamental commitment of THAIco SPA. Therefore, we will dedicate all the resources and efforts required to process your data in full compliance with Regulation (EU) 2016/679 (“General Regulation Data Protection” or “GDPR”), as well as with any other legislation applicable in Romania. Since one of the key principles of this legal framework is transparency, we have prepared this document through which we want to inform you about how we collect, use, transfer and protect your personal data when you interact with us about our products and services, including through our website and through mobile applications.
Who we are and how to contact us
THAIco SPA is the trade name of VIP EVENTS SRL, Romanian legal entity with the registered office in Bucharest, 1 Intrarea Sevastopol Street, District 1, Trade Register Office no. J40/3309/2009, Tax Identification Number 25267799 (hereinafter referred to as “THAIco SPA”, “us” or “we”). Within the meaning of the data protection legislation, we are a controller when we process your personal data.
Since we are always open to hearing your views and providing you with any additional information you may need regarding the processing of your data, we encourage you to contact the THAIco SPA data protection officer at the email address email@example.com or by post or courier at 1 Intrarea Sevastopol Street, District 1, Bucharest, specifying “to the attention of the THAIco SPA data protection officer”.
What categories of personal data do we process?
We generally collect your personal data directly from you, so you have control over the type of information you provide us. For example, we get information from you as follows:
When you place an order, you provide us with information such as the desired product, last name and first name, delivery address, invoicing information, payment method, phone number, bank card information etc.
In order to customize your online experience and to provide you with offers adapted to your profile, we can also collect and subsequently process certain information on your behavior while visiting our website or using the smartphone application. Please find out more on this matter by consulting the section on the purposes of the processing below.
We do not collect or otherwise process sensitive data included in the General Data Protection Regulation in special categories of personal data. We also do not want to collect or process data of minors under the age of 16.
What are the purposes and grounds of processing?
We will use your personal data for the following purposes:
To provide THAIco SPA services for your benefit
As the case may be, this general purpose may include the following:
- Processing orders, including placement, validation, shipping and invoicing;
- Settling cancellations or issues of any kind concerning an order or the purchased services;
- Product returns according to the legal provisions;
- Product refunds according to the legal provisions;
- Providing support services, including answering your questions concerning your orders or the services provided by THAIco SPA or its partners.
Processing your data for these purposes is in most cases necessary to conclude and perform a service between THAIco SPA and yourself. Furthermore, some processing subordinated to these purposes is required by the applicable legislation, including the tax and accounting legislation.
We would like to keep you up to date on the best offers for products/services that interest you. To this end, we can send you any type of message (such as emails, text messages, phone, mobile push, webpush etc.) containing general and thematic information, information on products similar or complementary to those you purchased, information on offers or promotions, information on added services. We always ensure that the processing is carried out in compliance with your rights and freedoms and that decisions based on said processing do not have legal effects on you and similarly do not significantly affect you.
In most cases, we base our marketing communications on your prior consent. You can change your mind and withdraw your consent at any time by:
– Accessing the unsubscribe link in the messages you receive from us; or by
– Contacting THAIco SPA using the contact details described above.
In certain situations, we can base our marketing activities on our legitimate interest in promoting and developing our commercial activity. In any situation where we use information about you for our legitimate interest, we take care and take all necessary measures to ensure that your fundamental rights and freedoms are not affected. However, using the means described above, you may request us at any time to stop processing your personal data for marketing purposes, following your request.
To defend our legitimate interests
There may be situations in which we use or transmit information to protect our rights and business. These may include:
– Measures to protect the THAIco SPA website and its users against cyber attacks:
– Measures to prevent and detect fraud attempts, including the transmission of information to the competent public authorities;
– Measures to manage various other risks.
The general basis of these types of processing is our legitimate interest in defending our business, it being understood that we ensure that all the measures we take guarantee a balance between our interests and your fundamental rights and freedoms.
How long do we keep your personal data?
As a general rule, we will store your personal data for an indefinite period. You may ask us at any time to delete certain information and we will respond to these requests, subject to the storage of certain information, including after the account is closed, in situations where the applicable law or our legitimate interests require it.
To whom do we send your personal data?
As the case may be, we may transmit or provide access to your personal data to the following categories of recipients:
If we are subject to a legal obligation or if it is necessary to protect our legitimate interest, we can also disclose certain personal data to public authorities.
We ensure that access to your data by third party private law entities is done in accordance with the legal provisions on data protection and confidentiality of information, based on agreements concluded with said entities.
To which countries do we transfer your personal data?
We currently store and process your personal data on the territory of Romania.
However, we may transfer some of your personal data to entities located in the European Union or outside the Union, including in countries where the European Commission has not recognized an adequate level of personal data protection.
We will always take steps to ensure that any international transfer of personal data is carefully managed in order to protect your rights and interests. Transfers to service providers and other third parties will always be protected by contractual commitments and, where appropriate, by other safeguards, such as standard European Commission contractual clauses or certification schemes, such as the Privacy Shield for the protection of personal data transferred from the EU to the United States of America.
You can contact us at any time, using the contact details specified above, to learn more about the countries where we transfer your data and the safeguards that we have applied to these transfers.
How do we protect the security of your personal data?
We are committed to ensuring the security of personal data by implementing appropriate technical and organizational measures, according to industry standards.
The transmission of your personal data is done using encryption algorithms; we store your personal data on secure servers and we ensure data redundancy.
Despite the steps taken to protect your personal data, please note that the transmission of information via the Internet in general or through other public networks is not completely secure; there is a risk that the data could be seen and used by unauthorized third parties. We cannot be responsible for such vulnerabilities of systems that are not under our control.
What are your rights?
The General Data Protection Regulation recognizes a series of rights with respect to your personal data. You may request access to your data, the correction of any errors in our files, and/or you can oppose the processing of your personal data. You can also exercise your right to complain to the competent supervisory authority or to court. As the case may be, you may also have the right to request the deletion of your personal data, the right to restrict the processing of your data and the right to data portability.
More information about each of these rights can be obtained by reviewing the table below.
In order to exercise your rights, you may contact us using the contact details listed above. Please note the following if you want to exercise these rights:
Identity. We are serious about the confidentiality of all records that contain personal data. For this reason, please send us your requests regarding such records using your email address. Otherwise, we reserve the right to verify your identity by requesting additional information to confirm your identity.
Fees. We will not charge a fee to exercise any right with respect to your personal data unless your request for access to information is groundless, repetitive or excessive, in which case we will charge a reasonable amount in such circumstances. We will inform you of any fees applied before settling your request.
Response time. We plan to respond to any valid requests in maximum one month, unless the matter is particularly complicated or if you have made several requests, in which case we will respond in maximum two months. We will let you know if we need more than a month. We may ask you to tell us exactly what you want to receive or what your concerns are. This will help us to act faster and reduce the response time to your request.
Rights of third parties. We do not have to comply with a request if it negatively affects other subjects’ rights and freedoms.
You can ask us:
- to confirm that we process your personal data;
- to provide you with a copy of this data;
- to provide you with other information about your personal data, such as what data we have, what we use it for, to whom we disclose it, whether we transfer it abroad and how we protect it, how long we keep it, what rights you have, how you can make a complaint, and where we obtained your data from, to the extent that the information has not already been provided to you by this policy.
You may ask us to rectify or complete your inaccurate or incomplete personal data.
We may try to verify the accuracy of the data before correcting it.
You may ask us to delete your personal data at any time.
We do not have to comply with your request for deletion of your personal data if processing of your personal data is required:
- to comply with a legal obligation; or
- to establish, exercise or defend a right in court.
There are certain other circumstances in which we are not obliged to comply with your request for data deletion, although these two are the most likely circumstances in which we may decline your request.
Restriction of data processing
You may ask us to restrict the processing of personal data, but only if:
- its accuracy is contested (see the rectification section), to allow us to verify its accuracy; or
- processing is illegal, but you do not want the data to be deleted; or
- the data is no longer necessary for the purposes for which it was collected, but you need it to find, exercise or defend a right in court; or
- you have exercised the right to oppose and we are in the process of checking whether our rights prevail.
We may continue to use your personal data following a restriction request if:
- we have your consent; or
- to establish, exercise or secure the defense of a right in court; or
- to protect the rights of THAIco SPA or other natural or legal persons.
You may ask us to provide your personal data in a structured, commonly used and machine-readable format, or request that it be “ported” directly to another data operator, but in each case only if:
- processing is based on your consent or on the conclusion or performance of a contract with you; and
- processing is done by automatic means.
For reasons related to your particular situation, you may oppose at any time to the processing of your personal data on our legitimate interest if you believe that your fundamental rights and freedoms prevail over this interest.
You can also oppose at any time the processing your data for direct marketing purposes without justification, in which case we will cease said processing as soon as possible.
You have the right to file a complaint with the supervisory authority regarding the processing of your personal data. In Romania, the contact information of the data protection supervisory authority is the following:
The National Supervisory Authority for Personal Data Processing
28-30 General Gheorghe Magheru Blvd., District 1, postal code 010336, Bucharest, Romania
Phone: +40 318 059 211 or +40 318 059 212;
Without prejudice to your right to contact the supervisory authority at any time, please contact us in advance, and we promise that we will do our best to resolve any issues amicably.
We would like to remind you that you can contact the THAIco SPA data protection officer at any time by submitting your request in any of the following ways:
– by email to firstname.lastname@example.org; or
– by post or courier at 1 Intrarea Sevastopol Street, District 1, Bucharest, specifying “to the attention of the THAIco SPA data protection officer”.