Data security

PRIVACY POLICY 

Last updated April 19, 2023.

We are delighted with your interest in Bolia A/S ('we', 'us', 'our') and our products.

We take the protection of your information seriously. This privacy policy describes in more detail how we process your personal data and what rights you have.

You give your consent for us to process your personal data in accordance with this privacy policy. The processing of your personal data is necessary so that we, for example, can enter into and honour agreements with you, respond to your enquiries and send you marketing material (if you have given your consent for this).

 

1 CONTACT INFORMATION

1.1 We are data controllers in accordance with applicable data protection legislation, including the Danish Data Protection Act and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the 'General Data Protection Regulation').

1.2 If you have any questions or comments regarding this privacy policy you can contact us at:

Bolia A/S
Værkmestergade 11
8000 Aarhus C
Denmark
Email: gdpr@bolia.com
Telephone: +45 88 96 02 24

 

2 OUR PROCESSING OF YOUR PERSONAL DATA, INCLUDING THE PURPOSE AND THE BASIS FOR THE PROCESSING

In this section you can read more about the purposes for which we process your personal data, the legal basis for the processing and how long we process your personal data for.

2.1 Delivery of our goods to you

2.1.1 We process the following of your personal data in order to enter into an agreement with you and deliver our products to you.

2.1.2 For the purpose mentioned above, we process the following personal data:

  • Your full name
  • Contact details, including address, email address and telephone/mobile phone number

  • The IP address you are shopping from

  • Order details

  • Payment card details

  • The information you provide when contacting and communicating with us, including via the chat service on our website

  • Information about your approved loan or financing agreements, if you make use of financing via Express Bank (also called Bolia Furniture Credit). We receive this information from Express Bank A/S, with whom you have entered into a separate agreement.

2.1.3 The legal basis for our processing is our agreement with you on the delivery of goods to you, cf. Article 6(1)(b).

2.1.4 We store your personal data for up to 3 years after the fulfilment of the agreement.  However, we will retain bookkeeping material for the current year + 5 years in order to comply with the requirements in Section 10 of the Danish Bookkeeping Act and the legal basis for storage is our legal obligations, cf. GPDR Article 6(1)(c). In specific cases, we may also store the data for a longer period where it is necessary to establish, exercise or defend a legal claim, and the legal basis for this is our legitimate interest in this, as it is assessed that our interest in processing the personal data exceeds your interest in the data not being processed, cf. GPDR Article 6(1)(f).

 

2.2 Marketing, including profiling

2.2.1 If you have subscribed to our newsletter, we process your personal data in order to send marketing and carry out profiling so that we can better target marketing to you and your interests. For example, we can send you personal offers and recommendations (for example, information about cleaning products for your furniture or products in your basket), messages about inspiring promotions, new launches and invitations to events, if you have consented to this. Some of the personal data is collected via cookies, if you have consented to this, cf. more details in section 2.6.
We do not carry out profiling as covered by GDPR Article 22, i.e. profiling that may result in negative consequences for you.

2.2.2 For this purpose, we process the following personal data:

  • Your name

  • Contact details, including email address

  • Geographical location and your chosen language

  • Nearest Bolia store

  • History of your purchases with us

  • History of your searches on our website

  • History of your interaction with our newsletters

 

2.2.3 The legal basis for our processing is your consent, cf. GPDR Article 6(1)(a). You can withdraw your consent to marketing at any time by clicking on the link at the bottom of the emails received, clicking here or by contacting us using the contact details listed in section 1.

2.2.4 We process your personal data for this purpose until you withdraw your consent or after a period of 12 months in which you have not interacted with our marketing + 5 years thereafter to use as documentation in the event of any disputes.

2.2.5 In some cases, we may process your data to show you relevant banner ads and similar advertisements about us. This processing does not take place on the basis of your consent to the newsletter, but takes place using cookies if you have consented to this, cf. more details in section 2.6.

 

2.3 Communicating with you

2.3.1 If you contact us via our contact details or via the chat service on our website, we will process the personal data you provide us with in connection with our communication with you in order to be able to respond to your enquiry.

2.3.2 The legal basis for our processing is our legitimate interest in being able to respond to your enquiries, as it is assessed that our legitimate interest in processing the personal data exceeds your interest in the data not being processed, cf. GDPR Article 6(1)(f).

2.3.3 We store your personal data for this purpose for up to 3 months after the correspondence has been completed. If your enquiry ends in a purchase, we will store the correspondence with you in accordance with section 2.1.

 

 

2.4 Participating in competitions

2.4.1 If you participate in our competitions, we will process the personal data you provide to us in connection with your participation in our competitions for the purpose of communicating with you and to be able to send you any prizes.

2.4.2 The legal basis for our processing is our legitimate interest in running the competition, as it is assessed that our legitimate interest in processing the personal data exceeds your interest in the data not being processed, cf. GDPR Article 6(1)(f).

2.4.3 We will keep your personal data for this purpose for up to 3 months after the prizes have been awarded to the winners.

 

2.5 Cookies

2.5.1 If you have given your consent to the use of cookies on our website, we automatically collect certain personal data, including information about your browser and your device (computer, mobile or tablet), your behaviour on our website (including which pages you have visited and the length of your visit) and your IP address.

2.5.2 The purpose of the processing is to enable us to prepare statistics and analyses that enable us to improve our website and products, as well as to target our marketing and website to you and your interests. Our marketing based on your consent to cookies relates to banner ads and similar advertisements about us (as opposed to your consent to our newsletter sent to your email inbox). 

2.5.3 The legal basis for this processing is your consent, cf. GDPR Article 6(1)(a).

2.5.4 The information collected via cookies is stored until your consent is withdrawn or (if the consent is not withdrawn) until the cookies in question expire after the period stated in our cookie policy.

2.6.5 You can read more about this in our cookie policy, which you can find here.

 

 

3 TRANSFER OF YOUR PERSONAL DATA TO THIRD PARTIES

3.1 We can, to the relevant extent, transfer your personal data to the categories of recipients specified below:

  • Affiliated companies

  • Service providers, including hosting providers, CRM system providers and third parties providing IT support or assisting with marketing activities, etc.

  • Trade partners

  • Carriers

  • Consultants

  • Public authorities to the extent required by law or court order or where necessary to establish, exercise or defend our legal rights

  • Other third parties if you consent or if they are involved in a merger or acquisition involving all or part of our business or assets herein.

3.2 Several of these recipients are data processors for us and, in accordance with our instructions, process personal data for which we are the data controller. The data processors may not use the data for purposes other than fulfilment of their agreement with us, and must treat the data as confidential. We have entered into written data processing agreements with our data processors who process personal data on our behalf.

3.3 Certain recipients are independent data controllers (e.g. public authorities) and their processing is governed by their own privacy policy, which we have no influence over.

 

4 TRANSFER TO THIRD PARTIES OUTSIDE THE EU/EEA

4.1 Some of the third parties to which we transfer personal data may be located outside the EU/EEA, including the recipient being established in a country outside the EU/EEA or by the personal data being accessible by persons who are outside the EU/EEA.

4.2 When we transfer your personal data to recipients in countries outside the EU/EEA that do not have an adequate level of data protection in accordance with data protection legislation, we will always ensure that the necessary security measures for the protection of your personal data are in place. 46. Transfers will only take place if the recipient:

  • is located in a country which, according to the decision taken by the European Commission, has a sufficiently high level of protection, or

  • has entered into an agreement with us based on the European Commission’s Standard Contractual Clauses and where the risk assessment carried out indicates that a lawful transfer can take place.

 

4.3 We transfer your personal data to the following third parties outside the EU/EEA:


Recipient


Purpose of use


Country


Protective measure



Our branch


Sending marketing material

 


Switzerland

 

The European Commission’s Adequacy Decision

 

Carriers

 

Delivery of your order

 

Switzerland

 

The European Commission’s Adequacy Decision

 

Social media


Sending marketing material

 

 

United States

 

The European Commission’s Adequacy Decision

 

Google

 

Sending marketing material

 

 

United States

 

The European Commission’s Adequacy Decision

 

4.4 You are welcome to contact us at gdpr@bolia.com if you would like further information about our transfers of personal data to third parties outside the EU/EEA, or would like a copy of relevant documents, including the European Commission’s standard contracts.

5 YOUR RIGHTS

You have the following rights in relation to our processing of your personal data:

5.1 Right of access
You have the right to request information about or have access to the personal data we process about you. However, there are exceptions, which mean that you do not always receive all the personal data that we process.

5.2 Right to rectification
You have the right to have incorrect personal data about you corrected. You also have the right to have personal data completed that you believe to be incomplete.

5.3 Right to delete
In certain cases, you have the right to request deletion of your personal data.

5.4 Right to restriction of processing
In certain cases, you have the right to have the processing of your personal data restricted.

5.5 Right to data portability
You have the right to receive a copy of your personal data in a structured, commonly used and machine-readable format by contacting us through the contact details set out in section 1. If technically possible, you have the right to request that the personal data be transmitted directly to another company or person acting as data controller.

5.6 Right to object
You have the right to object to our processing of your personal data. This means that you can prevent us from processing your personal data. However, this only applies in certain cases, and we do not need to stop processing your personal data if we can provide legitimate grounds for continuing the processing of your personal data.

5.7 Exercise of rights
The above rights may be exercised by contacting us using the contact details stated in section 1 above. However, if you wish to submit a complaint to the Danish Data Protection Agency, this can be done using the information mentioned in section 5.8.

5.8 Right to complain
If you wish to complain about our processing of your personal data, you can contact the Danish Data Protection Agency at www.datatilsynet.dk.


6 SPECIFICALLY FOR JOB APPLICANTS

6.1 If you are applying for a job with us, we process the personal data which you send to us in connection with your job application, including, for example, your CV, along with any data we receive from recruitment agencies you have been in contact with. If you have referred to previous employers, we will only contact them if you give your consent. 

6.2 We process personal data because it is necessary in order to pursue our legitimate interests in being able to process your job application, cf. GPDR's Article 6(1)(f). Any contact with your references will take place on the basis of your consent, cf. GPDR Article  6(1)(a).

6.3 Your job application and your personal data contained herein will be stored for up to six months from the date we receive your job application, unless you consent to us storing for a longer period.

6.4 Your personal data is also processed in accordance with this privacy policy, including transfer to the third parties stated in section 4, just as you naturally have the rights as set out in section 5.


7 CHANGES TO THIS PRIVACY POLICY

7.1 Significant changes to this privacy policy will be notified on our website and notified to you via email (if you have provided us with this in connection with the processing of data covered by this privacy policy).



MyBolia Privacy Policy

Bolia International A/S (“Bolia”, “we” or “us”) processes personal data about you when you register with the MyBolia customer club in accordance with the principles and requirements of the General Data Protection Regulation and the Danish Data Protection Act.

 

The purpose of this privacy policy is to tell you how we process your personal data before, during and after your membership and about your rights in connection with the processing.

 

If you have questions about the privacy policy, or wish to exercise your individual rights described below, you can contact Bolia via the following contact information:

 

Bolia International A/S

CVR no.: 25451996

Værkmestergade 11,1

DK-8000 Aarhus C,

Email: gdpr@bolia.com

 

1.              Purpose of the processing

Bolia processes personal data about customers for the purpose of creating, maintaining and concluding membership of MyBolia. Before and after your membership, we therefore collect, register and process personal data about you for the following purposes:

 

  • Registering you as a member of the customer club
  • Registration in our IT systems
  • Customer service and support regarding your membership
  • Contact and communication with you
  • Marketing our services and products, including offering special benefits and discounts
  • Analyses and statistics for optimising our services and for adapting our marketing to your preferences
2.              Types of personal data

Bolia processes general personal data that you provide when establishing your membership, including:

 

  • Name
  • Email
  • Nearest Bolia store
  • User ID
  • Postcode
  • Date of birth

 

In addition, we process data when you make a purchase and/or take advantage of offers that are sent as part of your membership of MyBolia. This information includes:

 

  • Language
  • Geographical data (location, town, country)
  • Purchase history
  • Address
  • Telephone number
  • Purchase history and receipts from our checkout system
  • Behaviour, incl. behaviour on our website
  • Order history incl. order value, order type, order content and other purchase behaviour linked to your orders as a member of MyBolia.
  • Benefits received and used
  • Any related discounts

 

Bolia does not process sensitive personal data about you in connection with your membership of MyBolia.

3.              Types of personal data and legal basis for processing

 

Purpose of use

Types of personal data

Legal basis

Membership creation

·         Name

·         Email

·         Nearest Bolia store

·         User ID

·         Postcode

·         Date of birth

 

Our fulfilment or conclusion of an agreement for our customer club, in particular the creation of a personal profile and the granting of personal benefits (GPDR Article 6(1)(b)).

 

Our legitimate interest to ensure adequate registration (GPDR Article 6(1)(f)).

Registration in our IT systems

·         Name

·         Email

·         Nearest Bolia store

·         User ID

·         Postcode

·         Date of birth

 

The processing is necessary for the implementation of measures taken at your request prior to entering into an agreement on access to our customer club (GPDR Article 6(1)(b)).

Customer service, administration and support regarding your membership

·         Name

·         Email

·         Address

·         Telephone number

·         Nearest Bolia store

·         Geographical data (location, town, country)

·         User ID

·         Language

·         Date of birth

·         Device info (information about your device’s operating system)

·         Purchase history and receipts from our checkout system

·         Order history incl. order value, order type, order content, etc.

·         Payment cards used in connection with purchases

·         Benefits received and used

·         Any related discounts

 

Our legitimate interest in ensuring adequate customer service and support (GDPR Article 6(1)(f)).

Other contact and communication with you

·         Name

·         Email

·         Telephone number

 

Our legitimate interest in ensuring adequate communication with you (GPDR Article 6(1)(f)).

Marketing our services and products, including offering special benefits and discounts

·         Name

·         Email

·         User ID

 

Our legitimate interest in marketing our products (GDPR article 6(1)(f)).

Direct marketing and profiling

·         User ID

·         Geographical data (location, town, country)

·         Language

·         Device info (information about your device’s operating system)

·         Purchase history and receipts

·         Behaviour, incl. buying behaviour and behaviour on our website

·         Order history incl. order value, order type, order content and other purchase behaviour linked to your orders as a member of MyBolia.

·         Benefits received and used

·         Any related discounts

Your consent (GPDR Article 6(1)(a))

Analyses and statistics for optimising our services

·         Behaviour, incl. website behaviour

 

Our legitimate interest in improving our products (GDPR Article 6(1)(f)).

Cookies

·         Your IP address

·         Information about your previous visits and preferences on the website

Our legitimate interest in improving our products (GDPR Article 6(1)(f)).

 

Your consent (GPDR Article 6(1)(a))

 

4.              Who do we share personal data with?

As a rule, we do not disclose personal data to others in connection with your membership of MyBolia.

 

Depending on your activities, we may disclose your personal data to the following overall categories of suppliers, partners and data processors who need it in order to fulfil the processing purposes stated above, or to those to whom Bolia is obliged under applicable legislation to disclose your data.

 

  • Operating and software suppliers and other data processors
  • Auditor, lawyer and bank contacts
  • Suppliers and partners
  • Authorities

 

The list is not exhaustive, which means that we may have to disclose your personal data to others.

 

However, these data processors may only access and process personal data on behalf of Bolia pursuant to our explicit instructions and for the purpose of fulfilling specific purposes set out in a written data processing agreement between Bolia and the data processor.

5.              Transfer of personal data to third countries

Some of the third parties to which we transfer personal data may be located outside the EU/EEA, including the recipient being established in a country outside the EU/EEA or by the personal data being accessible by persons who are outside the EU/EEA.

 

To the extent that personal data is transferred to third countries, Bolia ensures an adequate level of protection by entering into EU standard contracts with the recipient of the data, or by ensuring that the recipients, as a minimum, are subject to special certification mechanisms, or that these constitute “safe” third countries approved by the EU Commission.

 

You can request a copy of the data transfer basis by contacting Bolia. 

 

We transfer your personal data to the following third parties outside the EU/EEA:

 

Recipient

Purpose of use

Country

Protective measure

Our branch

Sending marketing material

Switzerland

The European Commission’s Adequacy Decision

Microsoft.

Administration via Office, including support and security tasks from Microsoft

Non-EU based

EU standard contracts

Social media

 

Sending marketing material

United States

EU standard contracts

Google

Sending marketing material

United States

EU standard contracts

 

6.              Storage period

Bolia stores personal data for as long as necessary to fulfil the purposes described above. As a rule, personal data is therefore only stored for as long as membership of MyBolia is maintained.

 

Backup copies containing personal data about you are routinely deleted by gradual overwriting and cannot be accessed in the normal way.

7.              Rights

You can at any time request Bolia for access, rectification and deletion of your personal data. In addition, you can limit Bolia’s processing of your personal data, object to the processing and exercise your right to have your personal data disclosed and transferred to another data controller (right to data portability).

 

If you have given your consent to the processing of your personal data, you can withdraw this consent at any time by contacting Bolia. However, such withdrawal will not affect the processing of personal data that took place prior to the withdrawal.

 

You can also read more about your rights in the Danish Data Protection Agency’s guidelines on the rights of data subjects. The guidelines can be found on the Danish Data Protection Agency’s website (www.datatilsynet.dk ).

8.              Complaints

You can complain to the Danish Data Protection Agency at any time about Bolia’s processing of your personal data via the contact details below:

 

The Danish Data Protection Agency
Carl Jacobsens Vej 35

DK-2500 Valby

Tel. +45 33 19 32 00
dt@datatilsynet.dk

 

9.              Changes to the privacy policy

This privacy policy will be updated and amended periodically, including when necessary due to changes in data protection laws and practices. You should therefore keep up to date with changes to the privacy policy. Some changes are communicated directly to you by email and you may be asked to accept significant changes.

 

Date of last privacy policy change: April 19, 2023