1. SCOPE, DATA CONTROLLER AND DEFINITIONS
1.2. The controller of your personal data
stichd sportmerchandising B.V.
De Waterman 2
5215 MX ’s-Hertogenbosch
Please note that in order to exercise your rights regarding data processing you can contact us via firstname.lastname@example.org.
- GDPR refers to the Regulation (EU) 2016/679 of the European Parliament and of the European Council dated 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
- The recipient is a natural or legal person, public authority, agency or any other body to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the context of a particular enquiry, in accordance with Union or Member State law, shall not be regarded as recipients; the processing of such data by public authorities shall comply with the applicable rules on data protection and the purposes of the processing; Examples of possible recipients: banks/payment service providers, logistics and shipping service providers and IT service providers; for more information see Article 4).
- Personal data refers to any information relating to an identified or identifiable natural person ("data subject's personal data"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Examples of personal data: name, contact details, bank or credit card details.
- Processing refers to any operation or set of operations which is performed on personal data or on a set of personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
- The processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller
2. PURPOSES, LEGAL GROUNDS AND RETENTION PERIODS FOR OUR PROCESSING OF YOUR PERSONAL DATA
2.1. Processing of your data when you visit the Website
If you visit the Website, we process your personal data to learn more about our products and services (regardless if you are registered for a customer account or not), in order to execute and fulfil your order placed with us in the online shop, in case you are actively transferring information to us (for information purposes only), for communication purposes with you, including when you contact us via our means of communication or otherwise interact with us, including with our customer support. With regards to the aforementioned, we process your personal data for the following purposes and on the following legal bases:
2.1.1. Provision of Website and IT security
We automatically collect certain information when you visit the Website that is technically necessary to enable us to make the Website available and to ensure stability and security when you visit it, such as the type and version of the browser, the Uniform Resource Locator and the type of operating system and platform. In this respect we also process the personal data, being your IP address.
For security purposes, this personal data is stored in server log files, which are automatically deleted after 30 days. This personal data processing is technically necessary to enable you to use the Website and for our legitimate interest in ensuring IT security (legal basis: Article 6(1)(f) GDPR).
2.1.2. Provision of localised website
We also process your personal data that is technically necessary to enable us to provide you with a localised version of the Website, in particular with regard to language. This data processing is necessary for our legitimate interest in adapting the Website to your needs (legal basis: Article 6(1)(f) GDPR). For security purposes, this personal data is stored in server log files, which are automatically deleted after 30 days.
2.1.3. Website analysis
This data processing is necessary for our legitimate interest to carry out analyses to improve the Website and products, and to advertise our products on the internet in an appropriate and effective manner (legal basis: Article 6(1)(f) GDPR). This data will be kept for a maximum of 26 months, or shorter in case the Analytics Data Retention setting is set to anything shorter than 26 months, or until a decision to unsubscribe is made as described below.
Unsubscribe from Google Analytics:
You can generally prevent your personal data (including your IP address) from being processed by Google Analytics by downloading and installing the browser add-on available at the following link:
You can also prevent Google Analytics from collecting your usage data on the Website by clicking on the following link:
In this case, a permanent opt-out cookie (name: "ga-disable-UA-[...]") is set in the browser you are currently using, which prevents your data from being recorded when you visit the Website with this specific browser in the future. If you use a different browser, Google Analytics is in principle enabled, unless the opt-out cookie is also set in this browser. Please note that Google Analytics will be re-enabled if you delete the above opt-out cookie from your browser.
2.1.4. Individual recommendations on the Website
This data processing is necessary for our legitimate interest in creating a better user experience by providing customised recommendations (legal basis: Article 6(1)(f) GDPR). This data will be kept for a maximum of 26 months or until a decision to unsubscribe is made as described below. Unsubscribe from individual recommendations: You can object to this data processing by clicking on the following unsubscribe link:
- Google AdWords: https://adssettings.google.com
2.1.5. Links to third party websites
2.1.6. Display of advertisements/retargeting on third-party websites
- Google AdWords: https://policies.google.com/privacy
- Facebook ads: https://www.facebook.com/about/privacy
- Pinterest ads: https://help.pinterest.com/en/article/personalized-ads-on-pinterest
- Twitter ads: https://twitter.com/en/privacy#chapter2
This data processing is necessary for our legitimate interest to advertise our products on the internet in an appropriate and efficient manner (legal basis: Article 6(1)(f) GDPR). This data will be kept for a maximum of 24 months or until a decision to unsubscribe is made as described below.
Unsubscribe from retargeting: You can object to this data processing by clicking on the following link(s) for unsubscribing from the respective service provider(s) for retargeting:
- Google AdWords: https://adssettings.google.com
- Facebook ads: https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen
- Pinterest ads: https://help.pinterest.com/en/article/personalized-ads-on-pinterest
- Twitter ads: https://twitter.com/settings/safety
2.1.8. Customer service
Depending on the subject of your request, we rely on your personal data stored in our systems in the context of other data processing activities (e.g., data that you have provided during a purchase or when addressing our customer service (including live chat) for any reason). We will also collect data from external sources if and to the extent necessary to fulfil your request, such as logistics service providers for the tracking of your shipment or a shipment request. Within the scope of the requests regarding a (pre-)contractual relationship with you, this data processing is necessary for the performance of a contract (provision of customer service) with you (legal basis: Article 6(1)(b) GDPR). If you want to exercise your rights against us, the corresponding data processing is necessary in order to comply with a legal obligation (legal basis: Art. 6(1)(c) GDPR). If you wish to receive information or make a complaint about our products and services, the respective data processing is necessary for our legitimate interest in responding to your information request/complaint (legal basis: Article 6(1)(f) GDPR).
2.2. E-mail marketing and newsletters to subscribers
If you have subscribed to our e-mail newsletter, we will send you newsletters from time to time to inform you about our products, services and offers. This data processing is based on your consent (legal basis: Article 6(1)(a) GDPR). This data is kept until your decision to unsubscribe as described below.
You can withdraw your consent and subscription to our newsletter at any time by sending an e-mail with your unsubscription request to our customer service via email@example.com and/or by clicking on the "Unsubscribe" link at the bottom of each newsletter. These data will be processed until the consent is withdrawn.
Objection to e-mails for direct marketing / newsletters:
You may object at any time to this processing of personal data and unsubscribe from our direct marketing e-mails by sending an e-mail with your unsubscription request to firstname.lastname@example.org and/or by clicking on the "Unsubscribe" link included in each direct marketing e-mail. In that case you will no longer receive newsletters from us.
2.3.Registration and creation of a customer account
When you visit the Website, you have the option to create a customer account. The registration for a customer account requires you to provide personal data. Mandatory fields are marked as such in the form. This data processing is necessary for the performance of a contract (provision of a customer account) with you (legal basis: Article 6(1)(b) GDPR). We retain this data for as long as you are an active customer of ours. According to the law, we have to keep the data related to contractual relationship for 7 years. In addition, you can review, modify or delete your data yourself in the account environment.
2.4.Data processing in the case of orders in the online shop
We process your personal data in connection with the purchase of products in the online shop at the Website.
2.4.1.Purchase and payment of goods in the online shop
We process your personal data (such as contact details, shipping and payment information) when you purchase products from the online shop at the Website. If you purchase items on behalf of another person (third party), we will process the third party's personal data (name and contact details) for the purpose of the fulfilment of the order, including shipment of the products, to that third party you indicated. Make sure you are authorised to provide such personal data. This data processing is necessary for the performance of a contract with you (legal basis: Article 6(1)(b) GDPR). According to the law, we must retain the data related to contractual relationships for 7 years.
2.4.2. Emails about an abandoned shopping cart
If you have placed items in your shopping cart but not completed the order process, we may send you a single abandoned cart e-mail to the e-mail address stored in your customer account. This data processing is necessary for our legitimate interest to remind you of any purchasing processes you have not yet completed (legal basis: Article 6(1)(f) GDPR). You can object to this type of processing and unsubscribe from our abandoned cart e-mailing at any time by clicking on the unsubscribe link that is placed at the bottom of the abandoned cart e-mailing.
2.4.3. Fraud and credit check
We check, based on your device and predefined rules, whether the order should be categorised as suspicious with regard to fraud. If fraud is suspected, we will additionally carry out an individual check of the order. The result of this manual fraud check may be positive, which would lead to the order being approved. However, if the suspicion of fraud persists, we may decide to cancel the order, depending on the specific case. This data processing is necessary for our legitimate interest in preventing and minimizing the risk of payment defaults, false details being used and fraud (legal basis: Article 6(1)(f) GDPR). This data will be kept for the period that is required under Dutch law for 7 years compliance with the applicable legislation and Scheme Rules compliance purposes (fraud prevention and fraud investigation).
2.4.4. Cancellation of purchase
In all cases of cancellation of the purchase (e.g., withdrawal from the contract), we will process your personal data for the return of the items and the refund of the purchase price. This data processing is necessary for the performance of a contract with you (legal basis: Article 6(1)(b) GDPR) and/or to comply with a legal obligation (legal basis: Article 6(1)(c) GDPR). According to the law, we must retain the data related to contractual relationships for 7 years.
2.4.5. Emails inviting product ratings and reviews
We would like to know if you are satisfied with your purchased items with us. For this purpose, we may process your e-mail and purchase data (e.g., purchased and the date of purchase) in order to be able to optional send you an e-mail within one month after the purchase, inviting you to review the purchased products. This data processing is necessary for our legitimate interest in providing good customer service and marketing (legal basis: Article 6(1)(f) GDPR). You can object to invitation emails for product ratings and reviews by sending an email to email@example.com. If you have already received an e-mail inviting you to evaluate the product, you may refuse to receive such e-mails in future by clicking on the "Unsubscribe" link in each invitation e-mail.
2.5. Other processing
2.5.1. Performing internal audits
Your personal data may be processed in the context of audits conducted in relation to the organisation stichd. Your data may also be processed appropriately under certain circumstances in order to identify and correct misconduct within the company and to implement compliance programs and measures. This data processing is necessary in order to comply with our legal obligations (legal basis: Article 6(1)(c) GDPR) and/or for our legitimate interest to monitor processes and efficiency within stichd, to correct misconduct and fraud cases, to enforce and/or defend our rights and to find out about possible criminal offences (legal basis: Article 6(1)(f) GDPR). According to the law, we must retain the data related to contractual relationships for 7 years.
2.5.2. Performing analyses
2.6 Protecting Your Data
We secure our website and other systems against loss, destruction, unauthorized access, modification or distribution of your data by unauthorized persons by implementing the appropriate technical and organizational measures. Furthermore, your personal data is transmitted to us in encrypted format. This applies to your order and when you log in as a customer. We use the SSL (Secure Socket Layer) coding system.
3. RETENTION AND DELETION OF YOUR PERSONAL DATA
4. TRANSFER OF PERSONAL DATA AND CATEGORIES OF RECIPIENTS
Your personal data can be transferred/disclosed to the following categories of recipients:
- IT service providers, marketing services providers and other service providers who, among other things, prepare the platforms, databases and tools for our products and services (e.g., the Website, sell items, sending informative e-mails), analyse user habits on the Website, and process your personal data on our behalf during the purchase process.
- Data analytics providers. In connection with the use of Google Analytics and Google AdWords, including tags and cookies, your personal data may be transferred to the USA. Google LLC is subject to the EU-U.S. Privacy Shield. This means that appropriate protection of your personal data is guaranteed.
- In order to provide you with a localised version of the Website, we transfer your personal data to a third-party service provider in the USA. The external service provider is subject to the EU-U.S. Privacy Shield. This means that appropriate protection of your personal data is guaranteed.
- For the delivery of your purchased items on the Website (including notifications about the delivery status of orders), we transfer your personal data to our contracted providers for handling and shipping (e.g., DHL, UPS, TNT etc.). The transfer of your personal data is based on the performance of a contract with you (legal basis: Article 6(1)(b) GDPR).
- In addition, we transfer your personal data if we are legally obliged to do so (for example, to the authorities in the context of a criminal investigation or to the appropriate data protection supervisory authorities. This transfer of personal data is necessary in order to comply with a legal obligation (legal basis: Article 6(1)(c) GDPR) or where we reasonably conclude that its necessary for defending, exercising or establishing our legal rights for our legitimate interest (legal basis: Article 6(1)(f) GDRP).
5. RIGHT TO OBJECT TO DATA PROCESSING ON THE BASIS OF LEGITIMATE INTERESTS
We process your personal data within the meaning of chapter 2, based on our legitimate interest to ensure IT security on the Website, to adapt the Website to your needs, to perform analyses, to inform you about our product reviews, to remind you about purchases that have not yet been completed, to prevent fraud and abuse, to prevent non-payment, to take care of our customers, to secure, strengthen and improve our legitimate interest (including in court if necessary) and to carry out our international management and cooperation. Please contact firstname.lastname@example.org for information on the balancing of interests by stichd. Notwithstanding the specific possibilities to object to the processing of data described in chapter 2 (e.g. the links to unsubscribe, for other rights see chapter 6 and 7 hereunder), you also have the right to object at any time to the processing of your personal data on the basis of our legitimate interests in accordance with Article 6(1)(f) GDPR for reasons relating to your particular situation (article 21 GDPR) by sending an e-mail to email@example.com. We will then no longer process your data for these purposes, unless our legitimate interests for processing outweigh them or the processing is for the establishment, exercise, or substantiation of legal claims. If you object to the processing of your data, we will process the personal data collected in this context in order to respond to your request. This data processing is necessary in order to fulfil a legal obligation (legal basis: Article 6(1)(c) GDPR).
6.RIGHT TO WITHDRAW CONSENT
If you have given us permission to process your personal data, you can withdraw this permission at any time. The withdrawal of your consent is effective for the future and does not affect the lawfulness of processing based on consent before the withdrawal. Unless specifically provided for in chapter 2, please send your withdrawal of consent to firstname.lastname@example.org. If you withdraw your consent, we will process your personal data collected in this context in order to respond to your request. This data processing is necessary in order to fulfil a legal obligation (legal basis: Article 6(1)(c) GDPR).
7.YOUR OTHER DATA PROTECTION RIGHTS
In accordance with the GDPR, you have the following rights to exercise and to request from us that we:
- Provide you with information on your personal data that we process (Article 15 GDPR)
- Rectify your personal data stored on our systems (Article 16 GDPR)
- Erasure of your data (Article 17 GDPR)
- Restrict your data from processing (Article 18 GDPR)
- Export your data (Article 20 GDPR)
Please send your request with at least your first and last name by e-mail to email@example.com or in writing to stichd sportmerchandising B.V., de Waterman 2, 5215 MX 's-Hertogenbosch, the Netherlands. If you exercise these rights, we will process your personal data to respond to your request. This data processing is necessary in order to fulfil a legal obligation (legal basis: Article 6(1)(c) under GDPR). Regardless of your rights mentioned above, you have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data by stichd is in breach of the GDPR (Article 77 GDPR).