Data security

PRIVACY POLICY 

Last updated September 28, 2022.

We are delighted with your interest in Bolia A/S ('we', 'us', 'our') and our products.

We take the protection of your information seriously. This privacy policy describes in more detail how we process your personal data and what rights you have.

You give your consent for us to process your personal data in accordance with this privacy policy. The processing of your personal data is necessary so that we, for example, can enter into and honour agreements with you, respond to your enquiries and send you marketing material (if you have given your consent for this).

 

1 CONTACT INFORMATION

1.1 We are data controllers in accordance with applicable data protection legislation, including the Danish Data Protection Act and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the 'General Data Protection Regulation').

1.2 If you have any questions or comments regarding this privacy policy you can contact us at:

Bolia A/S
Værkmestergade 11
8000 Aarhus C
Denmark
Email: gdpr@bolia.com
Telephone: +45 88 96 02 24

 

2 OUR PROCESSING OF YOUR PERSONAL DATA, INCLUDING THE PURPOSE AND THE BASIS FOR THE PROCESSING

In this section you can read more about the purposes for which we process your personal data, the legal basis for the processing and how long we process your personal data for.

2.1 Delivery of our goods to you

2.1.1 We process the following of your personal data in order to enter into an agreement with you and deliver our products to you.

2.1.2 For the purpose mentioned above, we process the following personal data:

  • Your full name
  • Contact details, including address, email address and telephone/mobile phone number

  • The IP address you are shopping from

  • Order details

  • Payment card details

  • The information you provide when contacting and communicating with us, including via the chat service on our website

  • Information about your approved loan or financing agreements, if you make use of financing via Express Bank (also called Bolia Furniture Credit). We receive this information from Express Bank A/S, with whom you have entered into a separate agreement.

2.1.3 The legal basis for our processing is our agreement with you on the delivery of goods to you, cf. Article 6(1)(b).

2.1.4 We store your personal data for up to 3 years after the fulfilment of the agreement.  However, we will retain bookkeeping material for the current year + 5 years in order to comply with the requirements in Section 10 of the Danish Bookkeeping Act and the legal basis for storage is our legal obligations, cf. GPDR Article 6(1)(c). In specific cases, we may also store the data for a longer period where it is necessary to establish, exercise or defend a legal claim, and the legal basis for this is our legitimate interest in this, as it is assessed that our interest in processing the personal data exceeds your interest in the data not being processed, cf. GPDR Article 6(1)(f).

 

2.2 Marketing, including profiling

2.2.1 If you have subscribed to our newsletter, we process your personal data in order to send marketing and carry out profiling so that we can better target marketing to you and your interests. For example, we can send you personal offers and recommendations (for example, information about cleaning products for your furniture or products in your basket), messages about inspiring promotions, new launches and invitations to events, if you have consented to this. Some of the personal data is collected via cookies, if you have consented to this, cf. more details in section 2.6.
We do not carry out profiling as covered by GDPR Article 22, i.e. profiling that may result in negative consequences for you.

2.2.2 For this purpose, we process the following personal data:

  • Your name

  • Contact details, including email address

  • Geographical location and your chosen language

  • Nearest Bolia store

  • History of your purchases with us

  • History of your searches on our website

  • History of your interaction with our newsletters

 

2.2.3 The legal basis for our processing is your consent, cf. GPDR Article 6(1)(a). You can withdraw your consent to marketing at any time by clicking on the link at the bottom of the emails received, clicking here or by contacting us using the contact details listed in section 1.

2.2.4 We process your personal data for this purpose until you withdraw your consent or after a period of 12 months in which you have not interacted with our marketing + 5 years thereafter to use as documentation in the event of any disputes.

2.2.5 In some cases, we may process your data to show you relevant banner ads and similar advertisements about us. This processing does not take place on the basis of your consent to the newsletter, but takes place using cookies if you have consented to this, cf. more details in section 2.6.

 

2.3 Communicating with you

2.3.1 If you contact us via our contact details or via the chat service on our website, we will process the personal data you provide us with in connection with our communication with you in order to be able to respond to your enquiry.

2.3.2 The legal basis for our processing is our legitimate interest in being able to respond to your enquiries, as it is assessed that our legitimate interest in processing the personal data exceeds your interest in the data not being processed, cf. GDPR Article 6(1)(f).

2.3.3 We store your personal data for this purpose for up to 3 months after the correspondence has been completed. If your enquiry ends in a purchase, we will store the correspondence with you in accordance with section 2.1.

 

2.4 My Bolia profile

2.4.1 If you create a My Bolia profile on our website, we process your personal data for the purpose of creating and managing your profile, including saving your wish list on bolia.com (if you create one), and for sending you marketing material and carrying out profiling. We do not carry out profiling as covered by GDPR Article 22, i.e. profiling that may result in negative consequences for you.

2.4.2 For this purpose, we process the following personal data:

  • Your name

  • Contact details, including email address

  • User ID

  • Nearest Bolia store and your chosen language

  • History of your purchases with us

  • Your searches on our website

 

2.4.3 The legal basis for our processing is your consent, cf. GPDR Article 6(1)(a). You can rescind your consentto MyBolia at any time by deleting your profile here, or by contacting us using the contact information in point 1. If you withdraw your consent, your MyBolia membership will cease.

2.4.4 We process your personal data for this purpose until you withdraw your consent or after a period of 12 months in which you have not interacted with your MyBolia profile + 5 years thereafter to use as documentation in the event of any disputes.

 

2.5 Participating in competitions

2.5.1 If you participate in our competitions, we will process the personal data you provide to us in connection with your participation in our competitions for the purpose of communicating with you and to be able to send you any prizes.

2.5.2 The legal basis for our processing is our legitimate interest in running the competition, as it is assessed that our legitimate interest in processing the personal data exceeds your interest in the data not being processed, cf. GDPR Article 6(1)(f).

2.5.3 We will keep your personal data for this purpose for up to 3 months after the prizes have been awarded to the winners.

 

2.6 Cookies

2.6.1 If you have given your consent to the use of cookies on our website, we automatically collect certain personal data, including information about your browser and your device (computer, mobile or tablet), your behaviour on our website (including which pages you have visited and the length of your visit) and your IP address.

2.6.2 The purpose of the processing is to enable us to prepare statistics and analyses that enable us to improve our website and products, as well as to target our marketing and website to you and your interests. Our marketing based on your consent to cookies relates to banner ads and similar advertisements about us (as opposed to your consent to our newsletter sent to your email inbox). 

2.6.3 The legal basis for this processing is your consent, cf. GDPR Article 6(1)(a).

2.6.4 The information collected via cookies is stored until your consent is withdrawn or (if the consent is not withdrawn) until the cookies in question expire after the period stated in our cookie policy.

2.6.5 You can read more about this in our cookie policy, which you can find here.

 

 

3 TRANSFER OF YOUR PERSONAL DATA TO THIRD PARTIES

3.1 We can, to the relevant extent, transfer your personal data to the categories of recipients specified below:

  • Affiliated companies

  • Service providers, including hosting providers, CRM system providers and third parties providing IT support or assisting with marketing activities, etc.

  • Trade partners

  • Carriers

  • Consultants

  • Public authorities to the extent required by law or court order or where necessary to establish, exercise or defend our legal rights

  • Other third parties if you consent or if they are involved in a merger or acquisition involving all or part of our business or assets herein.

3.2 Several of these recipients are data processors for us and, in accordance with our instructions, process personal data for which we are the data controller. The data processors may not use the data for purposes other than fulfilment of their agreement with us, and must treat the data as confidential. We have entered into written data processing agreements with our data processors who process personal data on our behalf.

3.3 Certain recipients are independent data controllers (e.g. public authorities) and their processing is governed by their own privacy policy, which we have no influence over.

 

4 TRANSFER TO THIRD PARTIES OUTSIDE THE EU/EEA

4.1 Some of the third parties to which we transfer personal data may be located outside the EU/EEA, including the recipient being established in a country outside the EU/EEA or by the personal data being accessible by persons who are outside the EU/EEA.

4.2 When we transfer your personal data to recipients in countries outside the EU/EEA that do not have an adequate level of data protection in accordance with data protection legislation, we will always ensure that the necessary security measures for the protection of your personal data are in place. 46. Transfers will only take place if the recipient:

  • is located in a country which, according to the decision taken by the European Commission, has a sufficiently high level of protection, or

  • has entered into an agreement with us based on the European Commission’s Standard Contractual Clauses and where the risk assessment carried out indicates that a lawful transfer can take place.

 

4.3 We transfer your personal data to the following third parties outside the EU/EEA:


Recipient


Purpose of use


Country


Protective measure



Our branch


Sending marketing material

 


Switzerland

 

The European Commission’s Adequacy Decision

 

Carriers

 

Delivery of your order

 

Switzerland

 

The European Commission’s Adequacy Decision

 

Social media


Sending marketing material

 

 

United States

 

The European Commission’s Adequacy Decision

 

Google

 

Sending marketing material

 

 

United States

 

The European Commission’s Adequacy Decision

 

4.4 You are welcome to contact us at gdpr@bolia.com if you would like further information about our transfers of personal data to third parties outside the EU/EEA, or would like a copy of relevant documents, including the European Commission’s standard contracts.

5 YOUR RIGHTS

You have the following rights in relation to our processing of your personal data:

5.1 Right of access
You have the right to request information about or have access to the personal data we process about you. However, there are exceptions, which mean that you do not always receive all the personal data that we process.

5.2 Right to rectification
You have the right to have incorrect personal data about you corrected. You also have the right to have personal data completed that you believe to be incomplete.

5.3 Right to delete
In certain cases, you have the right to request deletion of your personal data.

5.4 Right to restriction of processing
In certain cases, you have the right to have the processing of your personal data restricted.

5.5 Right to data portability
You have the right to receive a copy of your personal data in a structured, commonly used and machine-readable format by contacting us through the contact details set out in section 1. If technically possible, you have the right to request that the personal data be transmitted directly to another company or person acting as data controller.

5.6 Right to object
You have the right to object to our processing of your personal data. This means that you can prevent us from processing your personal data. However, this only applies in certain cases, and we do not need to stop processing your personal data if we can provide legitimate grounds for continuing the processing of your personal data.

5.7 Exercise of rights
The above rights may be exercised by contacting us using the contact details stated in section 1 above. However, if you wish to submit a complaint to the Danish Data Protection Agency, this can be done using the information mentioned in section 5.8.

5.8 Right to complain
If you wish to complain about our processing of your personal data, you can contact the Danish Data Protection Agency at www.datatilsynet.dk.


6 SPECIFICALLY FOR JOB APPLICANTS

6.1 If you are applying for a job with us, we process the personal data which you send to us in connection with your job application, including, for example, your CV, along with any data we receive from recruitment agencies you have been in contact with. If you have referred to previous employers, we will only contact them if you give your consent. 

6.2 We process personal data because it is necessary in order to pursue our legitimate interests in being able to process your job application, cf. GPDR's Article 6(1)(f). Any contact with your references will take place on the basis of your consent, cf. GPDR Article  6(1)(a).

6.3 Your job application and your personal data contained herein will be stored for up to six months from the date we receive your job application, unless you consent to us storing for a longer period.

6.4 Your personal data is also processed in accordance with this privacy policy, including transfer to the third parties stated in section 4, just as you naturally have the rights as set out in section 5.


7 CHANGES TO THIS PRIVACY POLICY

7.1 Significant changes to this privacy policy will be notified on our website and notified to you via email (if you have provided us with this in connection with the processing of data covered by this privacy policy).