EN

Privacy Policy

Mandatory Information on Data Subjects' Rights

 
Information about the company processing your data:
 
Name: Revolution Cosmetics Ltd.
VAT/BULSTAT: BG207775928
Registered Office and Management Address: Sofia, Lyulin 528
Correspondence Address: Sofia, Lyulin 528
Phone: +35929252233
Email: gxtattoo@gmail.com
Website: www.gxtattoo.com
 
Information about the competent supervisory authority for personal data protection:
 
Name: Commission for Personal Data Protection
Registered Office and Management Address: Sofia 1592, Prof. Tsvetan Lazarov Blvd. No. 2
Correspondence Address: Sofia 1592, Prof. Tsvetan Lazarov Blvd. No. 2
Phone: 02 915 3 518
Website: www.cpdp.bg
 
Revolution Cosmetics Ltd. (hereinafter referred to as "Administrator" or "Company") conducts its activities in accordance with the Personal Data Protection Act and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The purpose of this information is to inform you about all aspects of the processing of your personal data by the Company and the rights you have in connection with this processing.
 
Basis for collecting, processing, and storing your personal data
 
Article 1. The Administrator collects and processes your personal data in connection with the use of the online store www.gxtattoo.com and the conclusion of contracts with the Company on the basis of Article 6(1) of Regulation (EU) 2016/679 (GDPR), specifically based on the following grounds:
 
- Explicit consent obtained from you as a customer;
- Performance of obligations of the Administrator under a contract with you;
- Compliance with a legal obligation applicable to the Administrator;
- For the purposes of the legitimate interests pursued by the Administrator or a third party.
 
Purposes and principles of collecting, processing, and storing your personal data
 
Article 2. (1) We collect and process the personal data that you provide to us in connection with the use of the online store and the conclusion of a contract with the company, including for the following purposes:
- Creating a profile and providing full functionality when using the online store;
- Conclusion and performance of a distance selling contract;
- Individualisation of the contract;
- Accounting purposes;
- Statistical purposes;
- Information security;
- Ensuring the performance of the contract for the provision of the respective service;
- Sending a newsletter upon your express request.
 
(2) We adhere to the following principles in processing your personal data:
- Lawfulness, fairness, and transparency;
- Purpose limitation;
- Data minimisation;
- Accuracy and timeliness of data;
- Storage limitation to achieve the purposes;
- Integrity and confidentiality of processing and ensuring an appropriate level of security of personal data.
 
(3) In processing and storing personal data, the Administrator may process and store personal data for the purpose of protecting the following legitimate interests:
- Fulfilling its obligations to the National Revenue Agency, Ministry of Interior, and other state and municipal authorities.
 
Types of personal data our company collects, processes, and stores
 
Article 3. (1) The Company performs the following operations with the personal data provided by you for the following purposes:
 
- User registration in the online store and execution of a distance selling contract - the purpose of this operation is to create a profile for using the online store for purchasing goods and to provide contact details for delivering purchased goods. Registration and creating a profile to use the online store are not mandatory steps for providing the service and are largely accessible without creating a profile.
 
- Sending a newsletter (newsletter) - the purpose of this operation is to administer the process of sending newsletters to customers who have expressed a desire to receive them. Given the limited scope of the personal data collected and the fact that part of it is collected from publicly available sources, conducting an impact assessment is not necessary for the implementation of an impact assessment.
 
- Exercising the right to withdraw or exercise a complaint - the purpose of this operation is to administer the process of exercising the right to withdraw or file a complaint by the client. Given the limited scope of the personal data collected, conducting an impact assessment is not necessary for the implementation of an impact assessment.
 
(2) The Administrator processes the following categories of personal data and information for the following purposes and on the following grounds:
 
- Your identifying data (email, name, etc.):
 
  - Purpose for which the data is collected: Establishing contact with the user and sending information to them, for the purposes of user registration in the online store, as well as for sending newsletters.
 
  - Basis for processing your personal data: By accepting the general terms and conditions and registering in the online store or placing an order without registration, or by concluding a written contract, a contractual relationship is created between the Administrator and you on which we process your personal data - Article 6(1)(b) of the GDPR. Your data for sending a newsletter is processed by your explicit consent - Article 6(1)(a) of the GDPR.
 
- Data for delivery purposes (names, phone numbers, addresses, etc.):
  - Purpose for which the data is collected: Fulfilment of the Administrator's obligations under a sales contract and of purchased goods.
- Basis for processing your personal data: By accepting the general terms and conditions and registering in the online store or placing an order without registration, or by concluding a written contract, a contractual relationship is created between the Administrator and you on which we process your personal data - Article 6(1)(b) of the GDPR.
 
- Additional data provided by you:
  - Purpose for which the data is collected: Completing information about the user in their user account.
  - Legal basis for data processing: You have explicitly consented to the processing of your personal data for one or more specific purposes - Article 6(1)(a) of the GDPR at the time of registration in the online store. Providing this data is not mandatory for registering in the online store.
 
(3) The Administrator does not collect or process personal data relating to the following:
- Racial or ethnic origin;
- Political, religious, or philosophical beliefs or membership in trade unions;
- Genetic and biometric data, data concerning health or data concerning a person's sex life or sexual orientation.
 
(4) The personal data is collected by the Administrator from the persons to whom they relate.
 
(5) The Company does not make automated decisions with data.
 
Article 4. (1) The Company performs the following operations with the provided personal data, as legal representatives or proxies of legal entities - business partners, for the following purposes:
 
- Conclusion and execution of a commercial transaction: For the conclusion and execution of a commercial transaction with a commercial company, we process only the three names of the legal representative or the person authorised by the company. Conclusion of the impact assessment: Given the limited volume of individuals whose data is processed and the limited volume of personal data collected, conducting an impact assessment is not necessary for this operation.
 
(2) Personal data is collected by the Administrator from the persons to whom they relate and from the Commercial Register to the Registry Agency.
 
(3) The Company does not make automated decisions with data.
 
Article 5. The Administrator may use so-called "cookies" for the purposes of providing full functionality of the website, improving user experience, statistical purposes, facilitating access, etc., which you agree to by using our website. You can control and/or delete "cookies" at any time through the settings of the browser you use. "Cookies" do not constitute personal data and are not used to identify visitors and users of the online store.
 
Retention period of your personal data
 
Article 6. (1) The Administrator retains your personal data for a period not longer than the existence of your profile in the online store. After deleting your profile, the Administrator takes the necessary measures to delete and destroy all your data without undue delay or to anonymise them (i.e., to render them in a form that does not reveal your identity).
 
(2) The Administrator processes your personal data, which you have provided when placing an order without registration in the online store, until the order is completed, unless you have given your explicit consent when placing the order for your data to be processed for the purposes of improving the service, providing recommended content for you, individual conditions, promotions, and for statistical purposes.
 
(3) The Administrator retains your personal data provided in connection with online orders made for a period of 5 years for the purposes of protecting the legal interests of the Administrator in judicial or administrative disputes with users of the online store.
 
(4) The Administrator will notify you if the retention period of the data needs to be extended in order to comply with a regulatory obligation or to safeguard the legitimate interests of the Administrator or otherwise.
 
(5) The Administrator retains personal data that it is required to keep under applicable law for the specified period, which may exceed the duration of your profile in the online store or until the order is completed.
 
Article 7. The Administrator retains the personal data of the legal representatives of its commercial partners for the duration of the contract execution, to comply with the legitimate interests and legal obligations of the Administrator, which period may exceed the duration of the concluded contract.
 
Disclosure of Your Personal Data for Processing
 
**Article 8. (1)** The Administrator may, at their discretion, disclose part or all of your personal data to data processors for the purposes of processing to which you have consented, in compliance with the requirements of Regulation (EU) 2016/679 (GDPR).
 
**Article 8. (2)** The Administrator will inform you in case of intention to disclose part or all of your personal data to third countries or international organisations.
 
**Your rights during the collection, processing, and storage of your personal data**
 
**Withdrawal of consent for the processing of your personal data**
 
**Article 9. (1)** If you do not wish for your provided personal data to be processed for marketing purposes or to receive newsletters, you may withdraw your consent for processing at any time by completing the withdrawal form in Appendix No. 1 or by making a free-form request via email.
 
**Article 9. (2)** Upon receiving your request, we will send you an email to the address you provided for receiving newsletters and promotional messages, with detailed instructions for verifying your status as a newsletter recipient and as a subject of personal data for which consent withdrawal has been requested.
 
**Withdrawal of consent does not affect the lawfulness of the processing of personal data carried out by the Administrator up to that point.**
 
**Right of access**
 
**Article 10. (1)** You have the right to request and obtain confirmation from the Administrator whether personal data concerning you is being processed, by sending a free-form request via email.
 
**Article 10. (2)** You have the right to access your data and information related to the collection, processing, and storage of your personal data.
 
**Article 10. (3)** Upon receiving your request, we will send you an email to the email address you used to register or place orders in the online store, with detailed instructions for verifying your status as a user of the store and subject of the personal data for which access has been requested.
 
**Article 10. (4)** After verification according to paragraph 3, the Administrator will provide you, upon request, a copy of the processed personal data concerning you, in electronic or another appropriate form.
 
**Article 10. (5)** Access to the data is free of charge, but the Administrator reserves the right to impose an administrative fee in case of repetitiveness or excessive requests.
 
**Right to rectification or supplementation**
 
**Article 11. (1)** You may at any time correct or supplement inaccurate or incomplete personal data concerning you through the "Profile Edit" option.
 
**Article 11. (2)** You can correct or supplement inaccurate or incomplete personal data concerning you directly through your profile on the website or by sending a request to the Administrator via email, using the form in Appendix No. 4 or by making a free-form request.
 
**Right to erasure ("right to be forgotten")**
 
**Article 12. (1)** You have the right to request from the Administrator the erasure of part or all personal data concerning you, and the Administrator must delete it without undue delay when one of the following grounds applies:
 
- The personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
- You withdraw your consent on which the data processing is based, and there is no other legal basis for processing;
- You object to the processing of personal data concerning you, including for direct marketing purposes, and there are no overriding legitimate grounds for the processing;
- The personal data has been unlawfully processed;
- The personal data must be erased for compliance with a legal obligation under EU law or the law of a Member State that applies to the Administrator;
- The personal data has been collected in connection with the offer of services of the information society.
 
**Article 12. (2)** The Administrator is not required to delete personal data if it is necessary for:
 
- The exercise of the right to freedom of expression and information;
- Compliance with a legal obligation that requires processing provided for in EU law or the law of the Member State applicable to the Administrator or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Administrator;
- Reasons of public interest in the area of public health;
- Archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes;
- Establishing, exercising, or defending legal claims.
 
**Article 12. (3)** To exercise your right to be forgotten, you must send a request for deletion of your personal data processed by the Administrator by email, using the form in Appendix No. 2 or by making a free-form request, after which the Administrator will send you an email to the email address you used to register or place orders in the online store, with detailed instructions for verifying your status as a store user and subject of the personal data for which a deletion request has been made.
 
**Article 12. (4)** After verifying the identity of the person submitting the request and the person to whom the data relates in accordance with your instructions, we will delete all data we process about you in accordance with paragraph 3.
 
**Article 12. (5)** If you have placed an order that is being processed, the earliest moment at which you can request to be "forgotten" is upon successful completion of the order.
 
**Right to restriction**
 
**Article 13.** You have the right to request from the Administrator to restrict the processing of your data by sending us a free-form request via email when:
 
- You contest the accuracy of personal data, for a period enabling the Administrator to verify the accuracy of the personal data;
- Processing is unlawful, but you do not want your personal data to be erased, only the use of it to be restricted;
- The Administrator no longer needs the personal data for the purposes of processing, but you require them for the establishment, exercise, or defence of legal claims;
- You have objected to processing pending verification whether the legitimate grounds of the Administrator override your interests.
 
**Article 13. (2)** Upon receiving your request, we will send you an email to the email address you used to register or place orders in the online store, with detailed instructions for verifying your status as a store user and subject of the personal data for which a request for restriction of processing has been made.
 
**Article 13. (3)** After verification according to paragraph 2, we will suspend the processing of your data, but will not remove any publications you have made in the online store, if any.
 
**Right to data portability**
 
**Article 14. (1)** If you have given consent for the processing of your personal data or if processing is necessary for the performance of a contract with the Administrator, or if your data is processed by automated means, you have the right:
 
- To request the Administrator to provide you with your personal data in a readable format and transfer it to another Administrator;
- To request the Administrator to directly transfer your personal data to another Administrator designated by you, where technically feasible.
 
**Article 14. (2)** You can exercise the right to data portability by sending us an email with the completed form according to Appendix No. 3 or a free-form request, after which the Administrator will send you an email to the email address you used to register or place orders in the online store, with detailed instructions for verifying your status as a store user and subject of the personal data for which a request for data portability has been made.
 
**Article 14. (3)** After verification according to paragraph 2, the Company will send you the data it processes for you in XML format to the email address you provided.
 
**Right to receive information**
 
**Article 15.** You may request the Administrator to inform you about all recipients to whom the personal data for which correction, deletion, or restriction of processing has been requested, have been disclosed. The Administrator may refuse to provide this information if it would be impossible or would require disproportionate efforts.
 
**Right to object**
 
**Article 16.** You may object at any time to the processing of personal data concerning you by the Administrator, including if it is processed for profiling or direct marketing purposes.
 
**Your rights in case of a breach of the security of your personal data**
 
**Article 17. (1)** If the Administrator identifies a breach of the security of your personal data that may pose a high risk to your rights and freedoms, they will notify you of the breach without undue delay, as well as the measures that have been or are to be taken.
 
**Article 17. (2)** The Administrator is not required to notify you if:
 
- They have taken appropriate technical and organisational measures to protect the data affected by the breach of security;
- Subsequent measures have been taken to ensure that the breach will not lead to a high risk to your rights;
- Notification would require disproportionate effort.
 
**Entities to whom your personal data are provided**
 
**Article 18. (1)** For the purposes of processing your personal data and providing the service in its full functionality and in view of your interests, the Administrator may provide the data to the following data processors:
 
**Data processor           Purpose of personal data processing**
 
.......................................................................         .............................................................................
.......................................................................         .............................................................................
.......................................................................         .............................................................................
 
**Article 18. (2)** The data processors comply with all requirements for legality and security in the processing and storage of your personal data.
 
**Article 19.** The Administrator does not transfer your data to third countries.
 
**Article 20.** In case of violation of your rights under the aforementioned or applicable data protection legislation, you have the right to lodge a complaint with the Commission for Personal Data Protection, as follows:
 
Name: Commission for Personal Data Protection  
Headquarters and management address: Sofia 1592, Prof. Tsvetan Lazarov Blvd. No. 2  
Correspondence address: Sofia 1592, Prof. Tsvetan Lazarov Blvd. No. 2  
Phone: +359 2 915 3 518  
Website: www.cpdp.bg
 
**Article 21.** You can exercise all your rights regarding the protection of your personal data using the forms attached to this information. Of course, these forms are not mandatory, and you can submit your requests in any form that contains a statement to this effect and identifies you as the data subject.
 
**Article 22.** If consent relates to transfer, the Administrator describes the possible risks of transferring data to third countries in the absence of a decision on adequate protection and appropriate safeguards for protection.
 
**Appendix No. 1**
 
Withdrawal Form of Consent for Processing Purposes
 
Your name*: .........................
Your email used in the online store*: .........................
Contact details (email)*: ..........................
 
To:
Name: Revolution Cosmetics Ltd.
Company ID (EIK/BULSTAT): BG207775928
Headquarters and management address: Sofia, Lyulin 528
Correspondence address: Sofia, Lyulin 528
Phone: +359 2925 2233
Email: gxtattoo@gmail.com
Website: www.gxtattoo.com
 
I hereby withdraw my consent for processing my personal data provided by me for the purposes of receiving newsletters, promotional messages, or other marketing materials, having read the conditions for withdrawal of consent in accordance with the Mandatory Information on the Rights of Data Subjects of the online store.
 
In case of violation of your rights under the aforementioned or applicable data protection legislation, you have the right to lodge a complaint with the Commission for Personal Data Protection, as follows:
 
Name: Commission for Personal Data Protection  
Headquarters and management address: Sofia 1592, Prof. Tsvetan Lazarov Blvd. No. 2  
Correspondence address: Sofia 1592, Prof. Tsvetan Lazarov Blvd. No. 2  
Phone: +359 2 915 3 518  
Website: www.cpdp.bg
 
**Appendix No. 2**
 
Request for "Right to be Forgotten" - Deletion of Personal Data Related to Me
 
Your name*: .........................
Your email used for registration or ordering in the online store*: .........................
Contact details (email)*: ..........................
 
To:
Name: Revolution Cosmetics Ltd.
Company ID (EIK/BULSTAT): BG207775928
Headquarters and management address: Sofia, Lyulin 528
Correspondence address: Sofia, Lyulin 528
Phone: +359 2925 2233
Email: gxtattoo@gmail.com
 
Please delete all personal data collected, processed, and stored by you, provided by me or third parties associated with me, according to the specified identification.
 
I declare that I am aware that part or all of my personal data may continue to be processed and stored by the administrator for the purposes of fulfilling its legal obligations.
 
In case of violation of your rights under the aforementioned or applicable data protection legislation, you have the right to lodge a complaint with the Commission for Personal Data Protection, as follows:
 
Name: Commission for Personal Data Protection  
Headquarters and management address: Sofia 1592, Prof. Tsvetan Lazarov Blvd. No. 2  
Correspondence address: Sofia 1592, Prof. Tsvetan Lazarov Blvd. No. 2  
Phone: +359 2 915 3 518  
Website: www.cpdp.bg
 
**Appendix No. 3**
 
Request for Portability of Personal Data
 
Your name*: .........................
Your email used for registration or ordering in the online store*: .........................
Contact details (email)*: ..........................
 
To:
Name: Revolution Cosmetics Ltd.
Company ID (EIK/BULSTAT): BG207775928
Headquarters and management address: Sofia, Lyulin 528
Correspondence address: Sofia, Lyulin 528
Phone: +359 2925 2233
Email: gxtattoo@gmail.com
Website: www.gxtattoo.com
 
Please send all personal data associated with me that is collected, processed, and stored in your databases in XML format to:
Email: .........................
Administrator - data recipient: .........................
 
Name: .........................
Identification number (EIK, BULSTAT, registration number in KZLD): .........................
Email: .........................
 
In case of violation of your rights under the aforementioned or applicable data protection legislation, you have the right to lodge a complaint with the Commission for Personal Data Protection, as follows:
 
Name: Commission for Personal Data Protection  
Headquarters and management address: Sofia 1592, Prof. Tsvetan Lazarov Blvd. No. 2  
Correspondence address: Sofia 1592, Prof. Tsvetan Lazarov Blvd. No. 2  
Phone: +359 2 915 3 518  
Website: www.cpdp.bg
 
**Appendix No. 4**
 
Request for Data Correction
 
Your name*: .........................
Your email used for registration or ordering in the online store*: .........................
Contact details (email)*: ..........................
 
To:
Name: Revolution Cosmetics Ltd.
Company ID (EIK/BULSTAT): BG207775928
Headquarters and management address: Sofia, Lyulin 528
Correspondence address: Sofia, Lyulin 528
Phone: +359 2925 2233
Email: gxtattoo@gmail.com
Website: www.gxtattoo.com
 
Please correct the following personal data collected, processed, and stored by you, provided by me or by third parties associated with me:
Data to be corrected:
..................................................
Please correct them as follows:
..................................................
In case of violation of your rights under the aforementioned or applicable data protection legislation, you have the right to lodge a complaint with the Commission for Personal Data Protection, as follows:
 
Name: Commission for Personal Data Protection  
Headquarters and management address: Sofia 1592, Prof. Tsvetan Lazarov Blvd. No. 2  
Correspondence address: Sofia 1592, Prof. Tsvetan Lazarov Blvd. No. 2  
Phone: +359 2 915 3 518  
Website: www.cpdp.bg