We pay particular attention to the privacy protection of our customers, contractors and employees. One of the key aspects is the protection of rights and freedoms of natural persons in connection with the processing of personal data. We strive to ensure that your data are processed in accordance with the GDPR, the Personal Data Protection Act, as well as with detailed regulations (included, among others, in the Labour Law or the Accounting Act). The Company is the Controller of personal data within the meaning of Article 4(7) of the GDPR. We also use the services of processing entities, referred to in Article 4(8) of the GDPR who process personal data on behalf of the Controller (e.g. accounting and IT companies, security firms, law firms, hosting providers and ICT services, carriers, entities handling electronic payments). We, as the Company, implement appropriate technical and organizational measures to ensure a level of security appropriate to the potential risk of violation of the rights or freedoms of natural persons with varying likelihood of occurrence and severity of the threat. We also apply policies and procedures, as well as we organize regular trainings that increase the knowledge and competences of our lawyers in this area.
Why do we use your personal data?
We, as the Employer, process the personal data of our employees and persons who cooperate with us on a basis other than employment relationship (Article 6(1)(B)(C) of the GDPR). Contact details obtained from customers who do the shopping via the e-store are used to conclude and efficiently perform agreements or to take actions at the request of the Customer before concluding the agreement (Article 6(1)(B) of the GDPR). We also conduct marketing activities and within its framework we strive to reach the widest possible range of interested persons to provide them with up-to-date information on our products and services (Article 6(1)(A) of the GDPR). In addition, we process data to accept and process complaints and conduct correspondence with our Customers (Article 6(1)(C) of the GDPR). We process data to assess and analyse activities and information about the Customer, including as part of the automated processing of personal data (profiling) to present general advertisements, offers or promotions (rebates) on the Company’s products or services, in a manner adapted to the interests of a given Customer (without significantly affecting his or her decisions), in particular to perform the Newsletter Agreement, market and statistical analyses. We provide third parties with your data upon your consent or when we are obliged to do so under the provisions of law.
On which rules and basis do we process your personal data?
We strive to protect the interests of the data subjects with due diligence and, in particular, we ensure that the data are:
- processed in accordance with law, in a fair and transparent manner for the data subject;
- collected for specific, explicit and legitimate purposes and not processed further in a manner inconsistent with these purposes;
- adequate, relevant and limited to what is necessary for the purposes for which they are processed;
- correct and updated as necessary; we take actions for personal data that are improper in the light of purposes of processing to be immediately deleted or corrected;
- stored in a form allowing for identification of the data subject for a period of not more than it is necessary for the purposes;
- processed in a manner that ensures adequate security of personal data, including protection against unauthorized or unlawful processing and accidental loss or destruction.
Your data are processed on the basis of the consents which can be withdrawn at any time. Another case is the situation in which the processing of your data is necessary for the performance of the agreement to which you are a party or to take action at your request, before the conclusion of the agreement. In some situations, processing is necessary to fulfill the legal obligation imposed on us as the Controller. Such obligations arise, for example, from the provisions of the Labour Law or the Accounting Act. Processing may also be necessary for the purposes arising from our legitimate interests, an example of which is the pursuit of claims from our business activities. Usually, we will process personal data such as: name and surname, address, e-mail address, telephone number, bank account number, business address, tax identification number.
Remember that providing your personal data when placing an order in the E-store or when registering for participation in the contest organized by us is voluntary, but it is the condition for the placement of an order or the correct participation in the contest.
What rights are you entitled to?
We strive to provide you with all relevant information in a concise, clear, understandable and easily accessible form, and to communicate with you with regard to the processing of your personal data in connection with the fulfilment of your right to:
- information provided when acquiring personal data,
- information provided upon request on whether the data are processed and other matters specified in Article 15 of the GDPR, including the right to copy data,
- correct data;
- be forgotten;
- restriction of processing;
- transfer data;
- file an objection;
- not being subject to decisions based solely on automated processing (including profiling),
- information on personal data breach,
- withdrawal of the previously granted consent to the processing of personal data (however, the withdrawal does not affect the lawfulness of data processing on the basis of consent before its withdrawal),
- make a complaint against the illegal processing of personal data (the President of the Office for the Protection of Personal Data, address: ul. Stawki 2, 00-193 Warszawa).
Before making a complaint remember that you have the right to file an objection against the processing of your personal data in order to perform legally justified interests of the Company or a third party, including, in particular, processing for marketing and profiling purposes (if there are no other important legitimate grounds for processing superior to the interests of the Customer).
In order to contact us regarding the execution of a given right, send a message to the following address: email@example.com.
In what manner will we contact you?
We provide information in writing or in other manners, including electronic means, where appropriate. If you request this, we can provide verbal information if we can confirm your identity by other means. If you submit your request electronically, if possible, the information will also be transmitted electronically, unless you specify another preferred form of communication.
When do we fulfil your request?
We try to provide information without unnecessary delay, in principle, within one month from the date of receiving a request. If necessary, we will extend this deadline by another two months due to the complexity of the request or the number of requests. However, in each case, we will inform you of actions taken and (if applicable) of the extended deadline stating the reason for the delay within one month from the date of receiving the request.
If we cooperate with entities that process personal data on our behalf, we exclusively use the services of such processing entities that provide sufficient guarantees to implement the appropriate technical and organizational measures to ensure that the processing meets the requirements of the GDPR and protects the rights of the data subjects. We verify in detail the entities to which we entrust the processing of your data. We conclude detailed agreements with them, and we periodically audit the compliance of the processing operations with the content of such agreements and provisions of law.
How do we take care of your data?
In order to comply with legal requirements, we have developed detailed procedures covering the following issues:
- data protection in the design phase and default data protection,
- impact assessment for data protection,
- notification of breaches,
- preparing a register of data processing activities,
- data retention,
- execution of rights of data subjects.
We regularly check and update our records in order to be able to demonstrate compliance with legal requirements in accordance with the principle of accountability formulated in the GDPR, but we also strive to incorporate the best market practices in the interests of the data subjects.
Personal data are stored in a form allowing for identification of the data subject for a period of not more than it is necessary for the purposes for which the data are processed. After such a period, the data are anonymized (depersonalized) or deleted. Deleting personal data is complete and permanent. We ensure:
- limiting the period of storage of personal data to the strict minimum,
- setting a date for the deletion of personal data and criteria for determining this date or a periodic review.
We determine the period of data processing in the first place on the basis of the provisions of law (e.g. time of storing of employee documentation, accounting documents), as well as the legitimate interest of the Controller (e.g. marketing activity). Retention policy includes data processed both in paper and in electronic form.
We ensure that every person acting with our authorization and having access to your personal data will process it only at our request, unless other requirements arise from EU law or the law of a Member State
We may also collect your personal data via Facebook. We would like you to know that we also protect your data collected using communication channels such as:
- website https://www.facebook.com and any other websites marked or co-branded with the Facebook brand (including subdomains, international versions, widgets and versions for mobile phones), whose operating principles are based on regulations made available in particular at https://www.facebook.com/legal/terms, provided by Facebook Inc. or Facebook Ireland Limited, including via the Facebook Lead Ads function aimed at direct marketing of the Controller’s own products or services. The rules for the protection and use of the Personal Data by the Facebook Service are available, for example, at: https://www.facebook.com/policy.php. The Controller has no influence on the content of the legal regulations of the Facebook Website, including personal data.
- applications enabling the Controller to run advertising campaigns on the Facebook Website, including contests.
Cookie files are small text files saved on your computer, where settings and other important information used on websites you visit are stored. Cookies can contain website settings or be used to follow interactions of users with a website. We use “cookies” in order to, among others, adapt the contents of our site to your preferences and optimize the use of websites, maintain your session (after logging in), so that the user does not have to re-enter the login and password on every subpage, as well as support and enforce actions to maintain security.
At any time, you can contact the Controller by sending a message by postal service or e-mail to firstname.lastname@example.org. The Controller stores correspondence for statistical purposes and for the best and quickest response to appearing inquiries, as well as in the scope of complaint settlements and decisions made on the basis of notifications about administrative interventions in the indicated Account. The addresses and data collected in this way will not be used for communication for purposes other than handling your inquiry. In the case of contact with the Controller in order to perform specific actions (e.g. submitting a complaint on a form), the Controller may ask the person to provide data again, including personal data, e.g. such as name, surname, e-mail address, etc. to confirm his or her identity and allow for responding in a given matter and to perform the requested action. Providing these data is not mandatory, but it may be necessary to perform activities or obtain information that is of interest to a given person. Taking into account the condition of technical knowledge, the cost of implementation and the nature, scope, context and purposes of processing and the risk of violating the rights or freedoms of natural persons with varying likelihood of occurrence and threat type, the Controller implements appropriate technical and organizational measures to ensure the protection of the Personal Data processed adequate to threats and categories of data covered by the protection, in particular, he protects the data against being made available to unauthorized persons, being taken away by an unauthorized person, being processed with violation of applicable provisions and change, loss, damage or destruction. Providing information on technical and organizational measures that provide protection of processing outside may impair their effectiveness and thus it jeopardizes the proper protection of the personal data. The Controller provides, for example, the following technical measures to prevent the collection and modification of the Personal Data sent electronically by unauthorized persons:
- securing the data set against unauthorized access.
- SSL certificate in the E-Store pages where the Personal Data are provided.
- encryption of data used to authorize a person using the functionality of the E-Store.
- access to the Account only after providing an individual login and password.