Processing of personal data

PRIVACY AND COOKIES NOTICE / Privacy Policy and Privacy Notice

provided by the data controller to the data subject when collecting personal data from the data subject and the cookie notice of the fashionmafia.sk online shop  /

I. Controller

1.1. The identity and contact details of the Controller are as follows:

Business Name: IS Studio, s.r.o.
Registered Office: Žižkova 2339/25, 040 01 Košice, Slovak Republic
Registered in the Commercial Register of the Košice District Court, Section Sro, Insert no. 26122/V
Company ID (IČO): 45675201
Tax ID (DIČ): 2023088166
VAT ID (IČ DPH): SK2023088166
Bank Account: SK5711000000002928842407
The Seller is a VAT payer

1.2. The Controller’s email and telephone contacts are:

1.3. The Controller’s address for sending written correspondence:

IS Studio, s.r.o., Žižkova 25, 04001 Košice, Slovak Republic

1.4. In accordance with Article 13(1) and (2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (repealing Directive 95/46/EC, the “GDPR”), with Act No. 18/2018 Coll. on Personal Data Protection and on Amendments and Supplements to Certain Laws, as amended, and with Act No. 452/2021 Coll. on Electronic Communications, as amended, the Controller (the “Seller”) provides the following information, explanations, and instructions to the Data Subject (the “Buyer”) from whom the Controller obtains personal data:

II. References

2.1. These Principles and Instructions on Personal Data Protection form part of the General Terms and Conditions published on the Seller’s Website.

2.2. Pursuant to § 3(1)(n) of Act No. 102/2014 Coll., the Seller informs the consumer that there are no specific relevant codes of conduct that the Seller has undertaken to follow. (A code of conduct is defined as an agreement or set of rules that determines the behavior of the Seller, who has undertaken to comply with that code in relation to one or more specific commercial practices or business sectors, if not established by law or another legal regulation or an act of a public authority; the Seller has undertaken to comply with it, and information on how the consumer can become acquainted with it or obtain its text is provided.)

III. Duration

3.1. The Controller only retains the Data Subject’s personal data for the necessary period required to fulfill the contract and for subsequent archiving in accordance with the retention periods imposed on the Controller by law. If the Data Subject consented to receiving marketing emails and similar offers, the Data Subject’s personal data are processed for these purposes until the Data Subject withdraws their consent, or for a maximum of 10 years.

IV. Processed Personal Data

4.1. On its website, the Controller processes the following personal data: first name, last name, residence address, email address, home telephone number, mobile phone number, billing address, delivery address, data obtained from cookies, and IP addresses.

V. Contact Details of the Data Protection Officer

5.1. The Controller has appointed a Data Protection Officer (DPO) under Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
Contact: Email: info@fashionmafia.sk, Tel.: +421 903 963 929

5.2. The Controller is also the Seller in the sense defined in the General Terms and Conditions of this website.

VI. Purposes of Processing the Data Subject’s Personal Data and Period of Processing

6.1. The main purposes for which the Data Subject’s personal data are processed include:

6.1.1. Recording, creating, and handling contracts and client data for the purpose of concluding contracts with third parties.

6.1.2. Processing accounting documents and documents related to the Controller’s business activities.

6.1.3. Complying with legal regulations related to document archiving, e.g., under Act No. 431/2002 Coll. on Accounting, as amended, and other relevant regulations.

6.1.4. The Controller’s activities related to fulfilling requests, orders, contracts, and similar instruments of the Data Subject.

6.1.5. Newsletter, marketing, and similar promotional activities by the Controller, if the Data Subject has given their consent.

VII. Legal Basis for Processing the Data Subject’s Personal Data

7.1. If the Controller processes personal data based on the Data Subject’s consent, such processing will begin only after the Data Subject has granted the relevant consent.

7.2. If the Controller processes the Data Subject’s personal data for the purpose of pre-contractual negotiations, entering into and fulfilling a purchase contract, and the related delivery of goods, products, or services, the Data Subject is obliged to provide personal data required for the proper performance of the purchase contract; otherwise, fulfillment cannot be ensured. The personal data for this purpose are processed without the Data Subject’s consent.

VIII. Recipients or Categories of Recipients of Personal Data

8.1. Recipients or potential recipients of the Data Subject’s personal data include:

8.1.1. The statutory bodies or members thereof of the Controller.

8.1.2. Persons performing work under an employment or similar contract for the Controller.

8.1.3. The Controller’s business representatives and other persons cooperating with the Controller in the performance of the Controller’s tasks. For the purposes of this document, any natural person performing dependent work for the Controller under an employment contract or an agreement outside an employment relationship shall be considered an employee of the Controller.

8.1.4. The Controller’s associates, business partners, suppliers, and contractual partners, in particular: an accounting company, a company providing software development and maintenance, a legal services provider, a consulting company, companies providing product transport and delivery to Buyers and third parties, marketing companies, social media operators, companies providing payment gateways and other payment methods.

8.1.5. Courts, law enforcement authorities, the tax authority, and other state authorities, if required by law. In such cases, the Controller shall provide personal data to the relevant offices and state institutions in accordance with the laws of the Slovak Republic.

8.1.6. The list of third parties (processors) and recipients who process the Data Subject’s personal data includes:

  • General Logistics Systems Slovakia s.r.o., Budča 1039, 962 33 Budča, Slovak Republic – third party providing shipping services
  • Packeta Slovakia s.r.o., Sliačska 1E, 831 02 Bratislava – Nové Mesto, ID: 48136999 – third party providing shipping services
  • STRIPE PAYMENTS EUROPE, LIMITED, C/O A & L Goodbody, IFSC, North Wall Quay, Dublin, D01 H104, Ireland – third party providing payment gateway services
  • Heureka Shopping s.r.o., Karolinská 650/1, 186 00 Praha 8 – Karlín, Czech Republic, ID: 02387727 – third party ensuring satisfaction monitoring of the website’s operation (Overené zákazníkmi)

8.2. The Controller of the e-shop measures customer satisfaction via email questionnaires within the “Overené zákazníkmi” (Verified by Customers) program, in which the Controller’s e-shop participates. Every time a purchase is made, an email questionnaire is sent to the Data Subject (Buyer), unless the Data Subject – Buyer refuses the sending of electronic mail for direct marketing under Act No. 452/2021 Coll., as amended. The Controller processes personal data for the purpose of sending the questionnaire within the Overené zákazníkmi program based on the Controller’s legitimate interest, which is to measure the Data Subject’s (Buyer’s) satisfaction with a purchase in the Seller’s e-shop. For sending the questionnaires, evaluating the Buyer’s feedback, and analyzing market position, the Controller uses a processor – the operator of the Heureka.sk portal, which may receive information about the purchased goods and the Buyer’s email address for these purposes. When email questionnaires are sent, the Buyer’s personal data are not passed on to any third party for their own purposes. The Buyer may object to receiving the questionnaire at any time by clicking the link in the questionnaire email. In that event, the Controller will no longer send any further questionnaires to the Data Subject (Buyer).

IX. Information on the Provision of Personal Data to Third Countries and the Retention Period

9.1. Applicable. The Controller transfers personal data in the form of cookies to third countries, to the following entities:

X. Information on the Data Subject’s Relevant Rights

10.1. Among other rights, the Data Subject has the following:

10.1.1. This point 10.1 does not affect the other rights of Data Subjects.

10.1.2. Right of access under Article 15 of the GDPR, which includes:

  • The right to obtain from the Controller confirmation as to whether it processes the personal data of the Data Subject, and if so, to what extent. If processed, the Data Subject has the right to know their content and to request information from the Controller about the reason for the processing. In particular, the Data Subject may request:
    • The purpose of the processing
    • The categories of personal data concerned
    • The recipients or categories of recipients to whom the personal data have been or will be disclosed, especially in the case of recipients in third countries or international organizations
    • The envisaged retention period for personal data or, if not possible, the criteria used to determine that period
    • The existence of the right to request from the Controller the rectification or erasure of personal data relating to the Data Subject, or restriction of processing, and the right to object to such processing
    • The right to lodge a complaint with a supervisory authority
    • If the data were not collected from the Data Subject, any available information regarding their source
    • The existence of automated decision-making, including profiling referred to in Article 22(1) and (4) of the GDPR, and at least meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject
    • Information on the appropriate safeguards under Article 46 of the GDPR if personal data are transferred to a third country or an international organization

10.1.3. Right to obtain a copy of the personal data being processed, provided that doing so does not adversely affect the rights and freedoms of others.

10.1.4. Right to rectification under Article 16 of the GDPR, which includes the right:

  • To have the Controller rectify inaccurate personal data concerning the Data Subject without undue delay
  • To complete any incomplete personal data, including by means of providing a supplementary statement

10.1.5. Right to erasure (“right to be forgotten”) under Article 17 of the GDPR, which includes:

  • The right to have the Controller erase personal data relating to the Data Subject without undue delay if one of the following grounds applies:

    • The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
    • The Data Subject withdraws consent on which the processing is based (provided there is no other legal ground for processing)
    • The Data Subject objects to the processing under Article 21(1) of the GDPR, and there are no overriding legitimate grounds for the processing, or the Data Subject objects under Article 21(2) of the GDPR
    • The personal data have been unlawfully processed
    • The personal data must be erased for compliance with a legal obligation under EU or Member State law to which the Controller is subject
    • The personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR

  • If the Controller has made the personal data public, it shall take reasonable steps (including technical measures) to inform other controllers processing the personal data that the Data Subject has requested the erasure of any links to, or copies or replications of, those personal data.

10.1.6. Right to restriction of processing under Article 18 of the GDPR, which includes:

  • The right to have the Controller restrict the processing of personal data in certain cases, for example when the Data Subject contests the accuracy of the data (for a period enabling the Controller to verify accuracy), if the processing is unlawful and the Data Subject opposes erasure and requests restriction instead, if the Controller no longer needs the data for the processing but the Data Subject requires them for legal claims, or if the Data Subject has objected under Article 21(1) of the GDPR, pending verification whether the Controller’s legitimate grounds override those of the Data Subject.

10.1.7. The right to ensure that where processing has been restricted, such data (except for storage) are processed only with the Data Subject’s consent, or for legal claims, or for the protection of another natural or legal person, or for reasons of important public interest of the EU or a Member State.

10.1.8. The right to be informed in advance if the restriction of processing is to be lifted.

10.1.9. Right to notification regarding rectification, erasure, or restriction under Article 19 of the GDPR:

  • The right to have the Controller notify each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.

10.1.10. Right to data portability under Article 20 of the GDPR:

  • The right to receive the personal data concerning the Data Subject, which they have provided to the Controller, in a structured, commonly used, and machine-readable format, and the right to transmit those data to another controller without hindrance from the Controller, if: a) The processing is based on consent under Article 6(1)(a) or Article 9(2)(a) of the GDPR or on a contract under Article 6(1)(b) of the GDPR, and
    b) The processing is carried out by automated means.

  • The exercise of the above must not adversely affect the rights and freedoms of others.

10.1.11. Right to object under Article 21 of the GDPR, which includes:

  • The right to object, on grounds relating to the Data Subject’s particular situation, at any time to the processing of personal data concerning them that is based on Article 6(1)(e) or (f) of the GDPR, including profiling.
  • In such case, the Controller shall no longer process the data unless it demonstrates compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the Data Subject, or for legal claims.
  • The right to object at any time to processing of personal data for direct marketing purposes, including profiling related to direct marketing; upon such an objection, personal data shall no longer be processed for these purposes.

10.1.12. Rights relating to automated individual decision-making under Article 22 of the GDPR:

  • The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the Data Subject or similarly significantly affects them, except where such decision is necessary for entering into or performing a contract with the Controller, authorized by EU or Member State law, or based on the Data Subject’s explicit consent.

XI. Instruction on the Data Subject’s Right to Withdraw Consent to the Processing of Personal Data

11.1. The Data Subject may withdraw their consent to the processing of personal data at any time, without affecting the lawfulness of processing that was based on consent before its withdrawal.
The Data Subject may withdraw consent in whole or in part (e.g., for a specific type of processing or a specific purpose), in which case the lawfulness of any remaining processing activities remains unaffected.
Consent can be withdrawn in writing by sending a notice to the Controller’s registered address as listed in the Commercial Register at the time of withdrawal, or electronically by email to the address provided in this document.

XII. Instruction on the Data Subject’s Right to Lodge a Complaint with the Supervisory Authority

12.1. The Data Subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement, if they consider that the processing of personal data relating to them infringes the GDPR, without prejudice to any other administrative or judicial remedy. The Data Subject also has the right to be informed by the supervisory authority about the progress and outcome of the complaint, including the possibility of a judicial remedy under Article 78 of the GDPR.

12.2. In the Slovak Republic, the supervisory authority is the Office for Personal Data Protection of the Slovak Republic (Úrad na ochranu osobných údajov Slovenskej republiky), Hraničná 12, 820 07 Bratislava 27, Slovak Republic, Tel.: +421 2 3231 3214, Email: statny.dozor@pdp.gov.sk

XIII. Information on Automated Decision-Making, Including Profiling

13.1. Since, in the case of the Controller, there is no automated decision-making, including profiling, as referred to in Article 22(1) and (4) of the GDPR, the Controller is not required to provide the information under Article 13(2)(f) of the GDPR (i.e., information about automated decision-making, including profiling, and the logic used, as well as the significance and the envisaged consequences of such processing for the Data Subject). Not applicable.

XIV. Personal Data Protection and the Use of Cookies. Explanation of Cookies, Scripts, and Pixels

14.1. The Controller provides the following short explanation of the function of cookies, scripts, and pixels:

14.1.1.

  • Cookies are small text files that contain a small amount of information, downloaded to your device when you visit a website. They enable the website to store, for a certain period, information about your actions and preferences (such as login name, language, font size, and other display settings) so that you do not have to re-enter them every time you visit or navigate across pages.
  • Script is a piece of programming code that ensures correct and interactive functionality of webpages. This code is executed on the server or on your device.
  • Pixels are small, invisible text or image elements on a webpage that are used to monitor website traffic. Using pixels, various data can be stored.

14.1.2. Cookies categories:

  • Essential cookies – ensure the proper functioning of the Controller’s website. These cookies are used without consent.
  • Functional cookies – relate to user choices regarding cookie usage on the website, including acceptance, refusal, or customization settings based on privacy preferences.
  • Statistical cookies – used by the Controller to obtain statistics on the usage of its website. These cookies require consent.
  • Advertising cookies – used to create advertising profiles and related marketing activities. These cookies require consent.

14.2. How to control cookies: 14.2.1. You can control and/or delete cookies as you wish. For more details, visit aboutcookies.org. You can delete all cookies already stored on your device, and you can usually set most browsers to prevent them from being stored.

14.3.1. Cookies used:

  • Essential cookies:

    • cookie_consent_level (First-party, 1 year 1 month): This cookie stores the user’s consent status for different cookie categories.
    • PHPSESSID (First-party, 1 year 1 month): Generated by PHP-based applications; a general identifier used to maintain user session variables.

  • Statistical cookies:

    • _ga_4E0X9EEKS1 (First-party, 1 year 1 month): Used by Google Analytics to maintain session status.
    • _ga (First-party, 1 year 1 month): Associated with Google Universal Analytics to distinguish unique users by assigning a randomly generated number.
    • sib_cuid (First-party, 6 months 1 day): Used to identify the visitor within an application, enabling website behavior tracking and performance measurement.

  • Advertising cookies:

    • uuid (Third-party, 6 months 1 day): Used to optimize ad relevance by collecting data on visitors across various websites.
    • _gcl_au (First-party, 3 months): Used by Google AdSense to experiment with ad efficiency on sites using its services.
    • _fbp (First-party, 3 months): Used by Meta to provide real-time offers from third-party advertisers.

14.3.2. Cookies disclosed to third parties:

XV. Final Provisions

15.1. These Principles and Instructions on Personal Data Protection and the cookies instructions form an integral part of the General Terms and Conditions and the Complaints Procedure (Reklamačný poriadok). Both the General Terms and Conditions and the Complaints Procedure are published on the Seller’s Website domain.

15.2. These Principles and Instructions on Personal Data Protection become valid and effective upon their publication on the Seller’s Website on January 31, 2025.

This e-shop is certified by https://www.pravoeshopov.sk.

Product added to wishlist
Product added to compare.