Ekornes – privacy policy for website
 
Last updated 5th July 2018


Ekornes is a manufacturer of high-quality furniture based in Sykkylven, Norway, who always puts our customers first. By putting our customers first, we also mean being open about how we process your personal data. Use of Ekornes’ services are subject to the terms of this privacy policy.
1. 1.    Controller
Ekornes Limited ("We", “Us”, “Ekornes Ltd”) are committed to protecting and respecting your privacy and the security of your personal information.

This Privacy Policy describes how we collect and use your personal data and sets out the legal bases on which we rely for processing your personal data . Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.

This notice applies to all customers, website visitors, business contacts and other interested parties. This notice does not form part of any contract to provide goods or services. We may update this notice at any time.
For the purpose of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 the data controller is Ekornes Ltd. This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.  

Ekornes Ltd is a private limited liability company incorporated and registered in England and Wales with company number 01109326. Our registered office is at 22-24 Ely Place, London, EC1N 6TE.

You can send any questions about the data we hold about you or how we process it to:

dataprotection.UK@ekornes.com
FAO DPO, Ekornes Ltd, 3rd floor, 22-24 Ely Place, London, EC1N 6TE
1. 2.    DATA PROTECTION PRINCIPLES
    1. 2.1.    We will comply with the GDPR when processing your personal data. This says that the personal information we hold about you must be:
    * •    Used lawfully, fairly and in a transparent way
    * •    Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes
    * •    Relevant to the purposes we have told you about and limited only to those purposes
    * •    Accurate and kept up to date
    * •    Kept only as long as necessary for the purposes we have told you about
    * •    Kept securely  
    1. 3.    Data we collect
We collect your personal data to deliver, support, adapt and develop our services, and to make the services more relevant and useful for you. By personal data, we mean any information which is directly or indirectly related to you and from which you can be identified.

    1. 3.1.    Newsletter
By registering for our newsletter, we collect the following information about you:
    * •    Email address
 

    1. 3.2.    Warranty
By using our warranty registration form, your purchases are registered. This includes the following information:
    * •    Email address
    * •    Name
    * •    Address
    * •    Postal code, city
    * •    What product you have bought
    * •    Place of purchase

    1. 3.3.    stressless.com

When visiting our website, we log your user behaviour, for example when you display or click on content, or search the site for content. We collect this personal data by using cookies and other similar technologies such as Google Analytics. See section 4.3 for an in-depth description on which information is collected.

    1. 3.4.    Events/competitions

Ekornes may run competitions throughout the year via various channels, including but not limited to social media, events, email. We will collect and process any information that is relevant to run the competition and choose the winner(s). We will not retain any information collected this way unless we have had consent to do so. Information collected can include:

    * •    Name
    * •    Address
    * •    Postal code, city  
    * •    Email address
    * •    Phone number

    1. 3.5.    Social media
Your social media content where this is in the public domain, and any messages you send direct to us via social media. This information can include posts and comments, pictures and video footage on sites such as YouTube, Facebook and Twitter. You should always review the terms and conditions and privacy policies of the social media that you use to make sure you understand what kind of information relating to you may be out there in the public domain and how you can stop or limit it from happening.

    1. 3.6.    Customer Service Enquiry
When registering a customer service enquiry, we may need to obtain some ‘personal data’ in order to complete your request. This includes the following information:
    * •    Email address
    * •    Name
    * •    Address
    * •    Postal code, city
    * •    Telephone Number
    * •    Purchased product
    * •    Where it was purchased from
    * •    Any comments, requests or feedback from you about your enquiry

    1. 4.    How Ekornes processES your PERSONAL data

Ekornes processes your personal data to offer you an adapted and personal user experience of our services.

Lawful bases for processing your personal data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

    * •    Where we need to perform the contract we have entered into with you, or where you have asked us to take steps to enter into a contract with you
    * •    Where we need to comply with a legal obligation
    * •    Where it is necessary for our legitimate interests, such as business or commercial reasons, and your interests and fundamental rights do not override those interests

The table at the end of this privacy policy sets out the specific legal grounds we rely on when processing your personal data for various purposes. Some of the grounds for processing will overlap and there may be several grounds which justify our use of your personal data.

Consent

On certain occasions we may ask you to consent to us using your personal data, for example when you opt-in to us sending you our newsletter or when you enter a competition. In such circumstances, you have the right to withdraw your consent for that specific processing at any time.

If you withdraw your consent then we may not be able to provide you with a particular product or service, such as sending you our newsletter or allowing you to take part in a competition. If you withdraw your consent, this will not affect the lawfulness of the processing based on your consent prior to you withdrawing your consent.

Where you opt-out of receiving marketing communications from us, this will not apply to personal data you have provided to us to process for other purposes not based on your consent, such as for product purposes or warranty registration.

If you choose not to provide us with personal data  

If you do not provide us with certain information when requested to do so, we may not be able to perform the contract we have entered into with you, or we may be prevented from complying with our legal obligations.

Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.  

    1. 4.1.    Emails

In order to send Emails, we process personal data for the following reasons:

    * •    To send our newsletter to you, and thereby keeping you up to date on new products or similar marketing related communication, as well as sending you special offers   
    * •    To contact you regarding changes to this privacy policy  
    * •    If you participate in campaigns or competitions issued by Ekornes, the information you give us will be used to manage the campaign or competition
    * •    We use your email address to confirm your identity when necessary
    * •    We also keep a record of your email address if you opt out of receiving marketing material from us, so that we can suppress your details and prevent us sending you marketing material

Your email address is stored in a separate database and is not shared with others. You may at any time opt-out of receiving our newsletter by using the opt-out function at the bottom of the newsletter, emailing us, calling us or sending a letter.

    1. 4.2.    Warranty registration

When registering a warranty, we process your personal data in order to:

    * •    To complete the registration
    * •    To compile reports (for example on purchase statistics) and to analyse sales (frequency, number of sold goods, turnover etc.)
    * •    To send relevant information regarding the warranty

    1. 4.3.    stressless.com

The personal data collected when you visit stressless.com is used to adapt and improve the content on our website, in addition to showing you ads for our products in other channels and on the web outside of our website.

        1. 4.3.1.    Statistics and analysis

Ekornes collects information on visitors on stressless.com to compile statistics on how the site is used. The purpose is to improve and develop the information on the site. Examples of statistical information we collect are: how many visits there are, how long the visit lasts, which site the user came from, and which browser is used.

        1. 4.3.2.    Use of cookies

Ekornes use cookies on stressless.com. Cookies are small text files placed on your computer when you visit a website. The cookies enable us to understand user behaviour on our website, so we can improve the user experience. Cookies can only store text, which is usually encrypted.

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of our website may become inaccessible or not function properly.  For more information about the cookies we use, please see [LINK TO COOKIE POLICY].

        1. 4.3.3.    Google Analytics

For more information on how Google Analytics collects and uses personal data please see "How Google uses data when you use our partners' sites or apps": https://policies.google.com/technologies/partner-sites?hl=en-GB&gl=uk.

    1. 4.4.    Customer Service Enquiry

When registering a customer service enquiry, we process your personal data in order to fulfil your request. The email is sent into our CRM system so we can handle this in the most efficient way, ensuring your legitimate interests are met. Emails may be filtered to ensure they are dealt with by the correct department.

        1. 4.4.1.    Third Parties

As our customer Ekornes may need to transfer your ‘personal data’ for any of the reasons below;

        * •    Customer Service enquiries. Ekornes uses a cloud based CRM system called C4C to process all enquiries.
        * •    Technician companies. In the event that your product requires a repair, we will pass on your details to a furniture technician company.
        * •    In certain circumstances Ekornes may need to pass on address and contact details to a logistics provider to ensure you receive your product in a timely manner.



You are in charge

All browsers enable the restriction of cookies or deactivation by settings in the browser.

Please be aware that if you restrict cookies, this may affect the functionality on our website as well as other websites.

        1. 5.    Disclosure of information to third parties

Personal data collected by using our services are only processed by suppliers who fulfil Ekornes’ requirements regarding processing of personal data through the data processing agreements we have entered into with them.

We require all third parties to respect the security of your personal data and treat it in accordance with the law. We do not allow third parties to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.  

In addition to the disclosures reasonably necessary for the purposes identified elsewhere in this privacy policy, we may disclose information about you:

(a) to the extent that we are required to do so by law;
(b) in connection with any legal proceedings or prospective legal proceedings;
(c) in order to establish, exercise or defend our legal rights (including providing information to others for the purposes of fraud prevention and reducing credit risk).

We routinely share personal data with IT service providers, cloud storage providers, our bank, accountants, legal advisers, other professional advisers and other service providers. Our third party service providers change from time to time and we can let you have details of the parties who are processing your personal data at any given time upon request.

We may share your personal data with other third parties, for example in the context of a possible sale or restructuring of the business, or if it is required for legitimate business activities. We may also need to share your persona l data with a regulator, HMRC or to otherwise to comply with the law.

Please contact our data protection officer if you want further information about third parties with whom we may share your personal data.
        1. 6.    TRANSFERRING DATA OUTSIDE THE EEA

We do not transfer your personal data outside the European Economic Area (EEA).

We require that any processors or sub-processors who process personal data on our behalf ensure there are appropriate measures in place to provide a similar degree of protection for your personal data as that required in the EEA if they transfer personal data outside the EEA.

Please contact our data protection officer if you want further information on any processors or sub-propcessors used by us who may transfer your personal data out of the EEA.

 
        1. 7.    DATA SECURITY

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
        1. 8.    AUTOMATED DECISION-MAKING

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you and advised you of your rights.

We do not envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes.
        1. 9.    Your rights

Your duty to inform us of changes

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

Your rights in connection with personal information

As a user of Ekornes’ services, you have the right to request information on the personal data we process and how they are processed. You may also request correct, erasure or restriction of the processing in accordance with applicable privacy and data protection law.

You have the following rights:

        * 1.    The right to be informed

You have the right to be informed of any processing activities concerning your personal data.

        * 2.    The right of access

You have the right to request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

        * 3.    The right to rectification

You have the right to request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.

        * 4.    The right to erasure

You have the right to request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).

        * 5.    The right to restrict processing

You have the right to request the restriction of processing of your personal idata. This enables you to ask us to suspend the processing of your personal data, for example if you want us to establish its accuracy or the reason for processing it.

        * 6.    The right to data portability

You have the right to request that we the transfer of your personal data to another party. This applies where we are processing your persona data for the performance of a contrct with you or based on your consent.

        * 7.    The right to object

You have the right to object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.

        * 8.    Rights in relation to automated decision making and profiling

You have the right not to be subject to a decision based solely on automatic decision-making where the processing results in legal or similarly significant effects.  We are allowed to use automated decision-making in the following circumstances:

        * •    Where we have notified you of the decision and given you 21 days to request a reconsideration.
        * •    Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights.
        * •    In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact our data protection officer in writing.

No fee usually required

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Right to withdraw consent

In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact our data protection officer. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

 
Right to complain to the ICO

If you are of the opinion that Ekornes has violated your rights in applicable privacy and data protection laws, you have the right to lodge a complaint with the ICO (Information Commissioner’s Office).

        1. 10.    Data retention (how long we keep your data)
To make sure we meet our legal data protection and privacy obligations, we only hold on to your information for as long as we actually need them for the purposes we acquired them in the first place (as set out above),  including for satisfying any legal, accounting or reporting requriements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

After that we will either delete it or anonymise your personal data so that it cannot be linked back to you.

        1. 11.    Changes

Ekornes reserves the right to adjust and adapt this privacy policy. If changes are made, you will be informed through our services.
 
LEGAL GROUNDS FOR PROCESSING YOUR PERSONAL DATA

Purpose/Activity    Type of data    Lawful basis for processing including basis of legitimate interest
Ordering our catalogue from our website    Title, name, address, email address    Performance of a contract with you

Necessary for our legitimate interests (conducting our business and promoting our products)
Registering for our newsletter    Title, name, address, email address, your preferences in receiving marketing from us    Your consent to receiving marketing material from us

Necessary for our legitimate interests (conducting our business and promoting our products)
Registering to be contacted regarding products and promotional offers    Title, name, address, email address, your preferences in receiving marketing from us    Your consent to receiving marketing material from us

Necessary for our legitimate interests (conducting our business and promoting our products)
Warranty registration    Title, name, address, email address, your preferences in receiving marketing from us    Performance of a contract with you

Necessary for our and your legitimate interests (conducting our business and providing you with care and support for your purchase from us)
Contacting customer support    Title, name, email address, country of residence, your query or message, telephone number, purchased product, where it was purchased from    Performance of a contract with you

Necessary for our and your legitimate interests (conducting our business and providing you with care and support for your purchase from us)
To manage our relationship with you which will include:
(a) Notifying you about changes to our terms or privacy policy
(b) Asking you to leave a review or take a survey    Name, email address, address, your preferences in receiving marketing from us, your communication preferences,    Performance of a contract with you

Necessary to comply with a legal obligation

Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)
To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)    IP address, browser type and version, time zone and setting location, browser plug-in type and version, operating system and platform, other devices you use to access this website    Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security)

Necessary to comply with a legal obligation
To use data analytics to improve our website, products/services, marketing, customer relationships and experiences    IP address, browser type and version, time zone and setting location, browser plug-in type and version, operating system and platform, other devices you use to access this website, information about how you use this website and our products and services    Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)


LEGAL GROUNDS FOR PROCESSING YOUR PERSONAL DATA

Purpose/Activity

Type of data

 
Lawful basis for processing including basis of legitimate interest  
 

Ordering our catalogue from our website

Title, name, address, email address

Performance of a contract with you
Necessary for our legitimate interests (conducting our business and promoting our products)

Registering for our newsletter

Title, name, address, email address, your preferences in receiving marketing from us

Your consent to receiving marketing material from us
Necessary for our legitimate interests (conducting our business and promoting our products)

Registering to be contacted regarding products and promotional offers

Title, name, address, email address, your preferences in receiving marketing from us

Your consent to receiving marketing material from us
Necessary for our legitimate interests (conducting our business and promoting our products)

Warranty registration

Title, name, address, email address, your preferences in receiving marketing from us

Performance of a contract with you
Necessary for our and your legitimate interests (conducting our business and providing you with care and support for your purchase from us)

Contacting customer support

Title, name, email address, country of residence, your query or message, telephone number, purchased product, where it was purchased from

Performance of a contract with you
Necessary for our and your legitimate interests (conducting our business and providing you with care and support for your purchase from us)

To manage our relationship with you which will include:

(a) Notifying you about changes to our terms or privacy policy

(b) Asking you to leave a review or take a survey

Name, email address, address, your preferences in receiving marketing from us, your communication preferences,

Performance of a contract with you
Necessary to comply with a legal obligation
Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)

To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)

IP address, browser type and version, time zone and setting location, browser plug-in type and version, operating system and platform, other devices you use to access this website

Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security)
Necessary to comply with a legal obligation

To use data analytics to improve our website, products/services, marketing, customer relationships and experiences

IP address, browser type and version, time zone and setting location, browser plug-in type and version, operating system and platform, other devices you use to access this website, information about how you use this website and our products and services

Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)