GDPR Compliance

1. What is the current status of FURNITUREROOTS’ (“FR”) GDPR compliance?

FR intends and expects to comply with GDPR by its effective date on 25 May 2018, including having a legal basis under Article 6 GDPR for processing any personal data.

 

2. How does FR process personal data?

Minimally, if at all.

FR offers businesses and individuals access to products, services, resources, and ancillary products, services, and resources it currently provides or may provide in the future (hereinafter collectively referred to as “Services”) for interior design, décor, furnishings, furniture and other products and services it currently provides or may provide in the future. 

While in limited circumstances it can be argued that the data FR processes could be personal data as well, the subscriber is using FR in order to make this informed choices in relation to his/her use of FR’s Services, suggesting a very low interest in exercising the protective rights GDPR affords data subjects in their respective personal data.

 

3. Is sensitive data stored within FR tools?

FR does not currently believe that it processes, let alone seeks or expect that it will seek to process, any personal data that is subject to Article 9 GDPR, “Processing of special categories of personal data,” which, in reference to GDPR, is generally referred to as “sensitive personal data.”

 

4. Are you a data processor, as you store and organize data from other sources?

FR currently does not believe it is a data processor for a data controller, necessitating that it enter into customary and compliant data processing agreements with data controllers. However, should that change, in order to comply with GDPR, FR believes that both FR as a data processor and the data controller will need to enter into a compliant data processor agreement.

 

5. Is FR able or will FR be able to respond to data subject requests under GDPR?

Yes.

 

6. In particular, if I am a data subject and FR is a data controller to my personal data, can FR comply with my request “to be forgotten”?

Yes. However, a data subject should understand the consequences of such a request.  

For example, with respect to any personal data that provides the necessary contact details in order to administer a subscription for a subscriber that is an organization, FR will need to replace the contact information within its system in order to manage the subscriber’s subscription and account.  

For any subscribers who are individuals, complying with a request to be forgotten will of course cause a permanent termination of the subscriber’s account and subscription. FR also often tries to “win-back” terminated or expired subscribers with discount offers, and eliminating or permanently “forgetting” personal data will eliminate FR’s ability to make any such offers to the data subject.

If you are a data subject and have requests of FR under GDPR related to your individual rights in your personal data, including a “request to be forgotten/for erasure,” “rectification,” etc., please email business@furnitureroots.com. FR will promptly review your request and respond to you.  

 

7. Which personal data does your company collect?

Most of the personal data that FR collects occurs in the user or subscriber account creation process, the payment and administration process, as well as the customer care and success processes. That typically data consists of: subscriber or account-holder contact email address; display name; and data required to make a purchase, such as credit card details and billing information, including cardholder first and last name and billing address.

FR does not collect or process any sensitive personal data. 

FR’s efforts to identify all existing and any new sources of personal data collection are ongoing toward being compliant with GDPR by 25 May 2018.

 

8. Where are the headquarters of your company?

FR is headquartered in Jodhpur, Rajasthan, India.

 

9. Are you planning to align all your contracts, Terms of Use, and Privacy Policies with the GDPR?

Yes.

 

10. Are you offering data storage and all processing for your EU customers to take place within the EU?

As FR is headquartered in India and is not “established” anywhere in the EU, it does not see any advantage in hosting personal data in the EU, since FR does not anticipate to have any personnel on its rolls in the EU to process any of the personal data in order to perform its obligations to its subscribers. 

 

11. Are you willing to sign the mandatory data processing agreement?

As answered in Question 4 (above), FR currently does not believe it is a data processor for a data controller, necessitating that it enter into customary and compliant data processing agreements with data controllers. However, should that change, in order to comply with GDPR, FR believes that both FR as a data processor and the data controller will need to enter into a compliant data processor agreement.  

 

Updated May 18, 2020