TABLE OF CONTENTS:
1. GENERAL PROVISIONS
1.2. The Controller of the personal data collected via the Online Store shall be Maria Bujak-Chwist conducting business activity under the name of HELLO MORNING MARIA BUJAK-CHWIST, entered into Central Registration and Information on Business of the Republic of Poland maintained by the minister competent for the economy, having: the address of the place of business and the address for delivery: ul. Armii Krajowej 19, 30-150 Kraków, NIP/VAT-ID 6762384947, REGON 122981874, e-mail address: email@example.com and telephone number: 693931111 – hereinafter referred to as “Controller” and being simultaneously the Service Provider of the Online Store and the Seller.
1.3. Personal data in the Online Store shall be processed by the Controller in accordance with the binding legal regulations, in particular the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) hereinafter referred to as “GDPR” or “GDPR Regulation”. The official text of the GDPR Regulation: http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELEX%3A32016R0679.
1.5. The Controller assures due diligence to protect the interest of persons being data subjects, in particular being responsible and liable for and assuring that the data collected are: (1) processed in accordance with the Act; (2) collected for specific, legal purposes and not subject to further processing inconsistent with the purposes; (3) correct as regards the subject matter and adequate as regards the purpose of the processing; (4) stored in a form making it possible to identify the people they apply to, no longer than it proves necessary to attain the purpose of processing and (5) processed in a manner ensuring security of the personal data, including the protection against illicit or illegal processing or accidental loss, damage or destruction, with the use of appropriate technical and organisational measures.
1.6. Taking into account the nature, scope, context and purpose of processing as well as the risk of breaching the rights or freedoms of natural persons with varied likelihood and degree of threat, the Controller is implementing appropriate technical and organisational measures so that the processing takes place pursuant to the Regulation and it is possible to show it. The measures are reviewed and updated, as necessary. The Controller applies technical measures preventing the acquisition and modification of personal data sent electronically by unauthorised persons.
2. BASIS FOR THE PROCESSING OF DATA
2.1. The Controller is authorised to process the personal data in cases, and to the extent, when at least one of the following conditions is met: (1) the data subject consented to the processing of their data to one or more specified ends; (2) processing is necessary for contract performance the data subject is a party to, or to take actions to the request of the data subject, prior to contract conclusion; (3) processing is necessary to meet the legal obligation of the Controller; or (4) processing is necessary for the needs resulting from the legally justified interests of the Controller or third party, except for situations when the interests or basic rights and freedoms of the data subject override such interests and they require personal data protection, especially when the data subject is a child.
3. PURPOSE, BASIS, PERIOD AND SCOPE OF PROCESSING DATA IN THE ONLINE STORE
3.1. Each time, the purpose, basis, period and scope as well as the recipients of personal data being processed by the Controller result from actions undertaken by a given Service User or Customer in the Online Store. For instance, in the case the Customer decides to purchase a product in the Online Store and selects collecting the purchased Product personally instead of shipment, their personal data will be processed with a view of performing the Contract of Sale entered into, but they will not be made available to the courier delivering the shipment to the Controller’s order.
3.2. The Controller may process the personal data in the Online Store for the purposes, on the bases, within the periods and scope, as follows:
|Purpose of data processing||Legal basis for processing and the period of data storage||Scope of data processing|
|The performance of the Contract of Sale or a contract for the provision of an E-Service, or taking actions to the request of the data subject, prior to entering into the above contracts.||Article 6, par. 1, point b) of the GDPR Regulation (contract performance)The data shall be stored for the period necessary for the performance, termination or expiry of a contract entered into in a different manner.||Maximum scope: name and surname; e-mail address; phone no.; delivery address (street, flat no., office no., zip code, town, country), address of residence/running a business/registered office, if different than the delivery address).In the case of Service Users or Customers who are not consumers, the Controller may also process the company name and VAT no. (NIP) of the Service User or the Customer.The above constitutes the maximum scope – in the case of e.g. collecting a product personally, one does not have to specify the delivery address.|
|Direct marketing||Article 6, par. 1, point f) of the GDPR Regulation (legitimate interest of the controller)The data shall be stored for the period of the legitimate interest of the Controller, however no longer than the period of limitation of claims as regards the data subject under the business activity of the Controller. The period of limitation shall be specified by legal provisions, in particular the Civil Code (the basic period of limitation in the case of claims related to business activity amounts to three years, and for a Contract of Sale two years).The Controller may not process the data for the needs of direct marketing in the case of expressing clear objection in this field by the data subject.||E-mail address|
|Marketing||Article 6, par. 1, point a) of the GDPR Regulation (consent)The data are stored until the data subject withdraws the consent to further process their data to that end.||Name, e-mail address|
|The Customer expressing opinion on the concluded Contract of Sale||Article 6, par. 1, point a) of the GDPR RegulationThe data are stored until the data subject withdraws the consent to further process their data to that end.||E-mail address|
|Keeping tax books||Article 6, par. 1, point c) of the GDPR Regulation in relation with Article 86 §1 of Tax Ordinance Act, consolidated text of 17 January 2017 (Journal of Laws of 2017 item 201)The data shall be stored for the legally required period, requesting the Controller to store tax books (till the lapse of the period of limitation of a tax obligation, unless Acts on Tax stipulate otherwise)||Name and surname: address of residence/running a business/registered office (if other than the delivery address), business name and VAT no. (NIP) of the Service User or the Customer.|
|Determining, pursuing or defence of claims on the side of the Controller, or ones that may arise as regards the Controller.||Article 6, par. 1, point f) of the GDPR RegulationThe data shall be stored for the period of the legitimate interest of the Controller, however no longer than the period of limitation of claims as regards the data subject under the business activity of the Controller. The period of limitation shall be specified by legal provisions, in particular the Civil Code (the basic period of limitation in the case of claims related to business activity amounts to three years, and for a Contract of Sale two years).||Name and surname; phone no.; e-mail address; delivery address (street, flat no., office no., zip code, town, country), address of residence/running a business/registered office (if different than the delivery address).In the case of Service Users or Customers who are not consumers, the Controller may also process the company name and VAT no. (NIP) of the Service User or the Customer.|
4. DATA RECIPIENTS IN THE ONLINE STORE
4.1. For the needs of proper Online Store functioning, inclusive of the performance of the Contracts of Sale entered into, it shall be necessary for the Controller to make use of external companies’ services (e.g. software provider, courier, or payment system provider). The Controller uses solely the services of such processing entities which ensure sufficient guarantee to implement appropriate technical and organisational measures so that the processing meets the requirements set out in the GDPR Regulation and protects the rights of data subjects.
4.3. Personal data of the Online Store Service Users or Customers may be provided to the following recipients or categories of recipients:
4.3.1. carriers/forwarders/couriers – in the case of a Customer who selects the Online Store to deliver the Product by post or courier, the Controller makes the collected Customer’s personal data available to the selected carrier, forwarder or agent performing shipment for the Controller to the extent necessary to deliver the Product to the Customer.
4.3.2. e-payments or payment card service providers – in the case of a Customer who uses in the Online Store the option of e-payment or payment card, the Controller makes the collected Customer’s personal data available to the selected payment service provider in the Online Store for the Controller to the extent necessary to perform the payment of the Customer.
4.3.3. opinion poll system providers – in the case of a Customer who consented to express their opinion on the Contract of Sale concluded, the Controller makes the collected personal data of the Customer available to the selected entity providing the system of opinion polls on Contracts of Sale concluded in the Website to the order of the Controller within a scope necessary for the Customer to present their opinion by means of an opinion poll system.
4.3.4. loan providers/lessors – in the case of a Customer who selects in the Online Store the option of payment method in instalments or leasing, the Controller makes the collected Customer’s personal data available to the selected loan provider or lessor providing the above payment services in the Online Store to the order of the Controller to the extent necessary for the payment service for the Customer.
4.3.5. service providers rendering for the Controller technical, IT or organisational solutions, making it possible for the Controller to conduct a business, inclusive of the Online Store and E-Services provided via it (in particular computer software providers for the Online Store, e-mail companies and hosting providers as well as software providers for company management and technical aid for the Controller) – the Controller makes the collected personal data of the Customer available to the selected provider operating to their order only in the case and to the extent necessary for attaining a given purpose of data processing in accordance herewith.
4.3.6. accounting, legal and counselling services providers rendering for the Controller accounting, legal or counselling services (in particular an accounting agency, law firm or debt collection company) – the Controller makes the collected personal data of the Customer available to the selected provider operating to their order only in the case and to the extent necessary for attaining a given purpose of data processing in accordance herewith.
5. PROFILING IN THE ONLINE STORE
5.2. The Controller may use profiling in the Online Store for direct marketing purposes, yet the decisions made on its basis by the Controller do not concern the conclusion or rejection to conclude the Contract of Sale, or the possibility to make use of E-Services in the Online Store. The result of profiling in the Online Store may be e.g. discount for a given person, sending a discount code, reminding about unfinished purchase process, sending Product offers, which may be related to the interests or preferences of the person, or offering better conditions as compared with the standard offer of the Online Store. Regardless of profiling, the person makes decisions freely, whether they want to use the discount given, or better conditions and buy a product in the Online Store.
5.3. Profiling in the Online Store consists in automatic analysis or forecast of the conduct of a given person on the website of the Online Store, e.g. by adding a given Product to the cart, browsing the page of a given product in the Online Store, or the analysis of the history of purchase in the Online Store. The condition for such profiling is for the Controller to have the personal data of the person, so that they can later send them e.g. a discount code.
5.4. The data subject shall have the right not to depend on the decision which is only based on automated processing, including profiling, and has some legal effects on the person or similarly affects them.
6. THE RIGHTS OF THE DATA SUBJECT
6.1. The right to access, rectify, restrict, erase or transmit – the data subject shall have the right to demand the Controller to have access to their personal data, rectify, erase (“the right to be forgotten”) or restrict the processing and shall have the right to object to the processing and transmit their data. Detailed conditions of the above rights shall be indicated in Articles 1522 of the GDPR Regulation.
6.2. The right to withdraw the consent at any time – the person whose data are being processed by the Controller on the basis of the consent given (pursuant to Article 6, par. 1, point a) or Article 9, par. 2, point a) of the GDPR Regulation), they shall have the right to withdraw their consent at any time without any impact on the compatibility with the right to process made based on the consent prior to the withdrawal.
6.3. The right to lodge a complaint with a supervisory body – the person whose data are being processed by the Controller shall have the right to lodge a complaint with a supervisory body in a manner and mode specified in the provisions of the GDPR Regulation and the Polish law, in particular the Personal Data Protection Act. The supervisory body in Poland shall be the President of the Office for Personal Data Protection.
6.4. The right to object – the data subject shall have the right, at any time, to lodge a complaint – for reasons related to their particular situation – as regards the processing of their personal data based on Article 6, par. 1, point e) (public interest or official authority) or f) (legitimate interest of the controller) in the case of profiling based on the provisions. The Controller in such a case must stop processing the personal data, unless they show the existence of legally significant and justified bases for the processing, overriding the interests, rights and freedoms of the data subject, or the bases for determining, pursuing or defending the claims.
6.5. The right to object as regards direct marketing – in the case the personal data are being processed for the needs of direct marketing, the data subject shall have the right, at any time, to lodge a complaint as regards the processing of their personal data for the needs of such marketing, including profiling, to the extent to which the processing is related to direct marketing.
7. COOKIES IN THE ONLINE STORE, OPERATIONAL DATA AND ANALYTICS
7.1. Cookies are small pieces of text files sent by the server and saved at the visitor’s of the Online Store (e.g. on the hard disk of a computer, laptop, or smartphone’s memory card – depending on the type of device used by the Online Store’s visitor). Detailed information on Cookies as well as the history of their origin can be found e.g. at: http://pl.wikipedia.org/wiki/Ciasteczko (https://en.wikipedia.org/wiki/HTTP_cookie).
7.2. The Controller may process the data contained in Cookies while the visitors of the Online Store use it for the following purposes:
7.2.1. identification of the Service Users being logged in the Online Store and showing that they are logged in;
7.2.2. saving Products added to the cart to place an order;
7.2.3. saving data from the Order Forms, polls or logging data to the Online Store;
7.2.4. adjusting the content of the Online Store to individual preferences of the Service User (e.g. concerning the colours, font size, layout) and optimising the use of the Online Store’s websites;
7.2.5. preparing anonymous statistics presenting the manner of using the Online Store;
7.2.6. remarketing, namely evaluating the conduct of visitors of the Online Store through anonymous analysis of their activities (e.g. repeated visits on particular pages, key words etc.) to create their profile and provide them with adverts matching their interests, also when they visit other websites in the advertising network of Google Inc. and Facebook Ireland Ltd.;
7.3. As a standard, most internet browsers on the market accept saving Cookies by default. Every person has the possibility to specify the conditions of using Cookies in the browser settings. It means that one may, e.g. partially restrict (e.g. temporarily) or fully disable saving Cookies – in the latter case it may have an impact on some functionalities of the Online Store (for instance it may prove impossible to go through the Order using the Order Form owing to failure to save the Products in the cart in the course of subsequent stages of Order placement).
7.5. Detailed information concerning the change in Cookies settings and their individual removal in the most common browsers is available in the help section of the browser and the following websites (click the link):
7.6. The Controller may use Google Analytics and Universal Analytics services in the Online Store, which are provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). The services help the Controller to analyse the frequency of visits in the Online Store. The data collected are processed under the above services in an anonymous manner (the so-called operational data, which make it impossible to identify a person) to generate statistics helpful while administering the Online Store. The data are of collective and anonymous nature, i.e. they do not contain any identifying features (personal data) of the visitors of the Online Store. Using the above services in the Online Store, the Controller collects such data as the sources and medium of acquiring visitors of the Online Store and the manner of their conduct on the website of the Online Store, information concerning their devices and browsers used to visit the website, IP and domain, geographical data and demographic data (age, sex) and interests.
7.7. It is possible to easily block sharing information with Google Analytics as regards the activity on the website of the Online Store – install to that end an opt-out add-on made available by Google Inc. available at: https://tools.google.com/dlpage/gaoptout?hl=pl.
8. FINAL PROVISIONS