2. The administrator of the personal data collected via the Internet Shop is GARDA Dominik Gawron
with registered office in Poland, ul. Krótka 53, 60-185 Skórzewo k/Poznania
Telephone: 0048 516 650 100
hereinafter referred to as „the Controller„
(3) Personal data in the Online Shop shall be processed by the Administrator in accordance with the applicable legal provisions, in particular in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in relation to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) – hereinafter referred to as „RODO„.
(4) The use of the Online Shop, including making purchases, is voluntary. Similarly, the related provision of personal data by the Customer using the Online Shop is voluntary, with the exception of:
- statutory obligations – providing personal data is a statutory requirement resulting from generally applicable laws imposing an obligation on the Administrator to process personal data (e.g. processing of data for the purpose of keeping tax or accounting books), and failing to provide such data will prevent the Administrator from performing such obligations.
(5) The controller shall take particular care to protect the interests of the persons whose personal data it processes, and in particular shall be responsible and ensure that the data it collects are:
- processed in accordance with the law;
- collected for specified, legitimate purposes and not subjected to further processing incompatible with those purposes;
- substantively correct and adequate in relation to the purposes for which they are processed;
- kept in a form which permits the identification of data subjects for no longer than is necessary to achieve the purpose of the processing;
- processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, by means of appropriate technical or organisational measures.
(6) Taking into account the nature, scope, context and purposes of the processing and the risk of violation of the rights or freedoms of natural persons of varying probability and seriousness, the Controller shall implement appropriate technical and organisational measures to ensure that the processing is carried out in accordance with the Regulation and to be able to demonstrate this. The Administrator shall apply technical measures to prevent the acquisition and modification by unauthorised persons, of personal data transmitted electronically.
GROUNDS FOR PROCESSING
(1) The controller shall be entitled to process personal data where, and to the extent that, one or more of the following conditions are met:
- the data subject has consented to the processing of their personal data for one or more specified purposes;
- the processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for the fulfilment of a legal obligation incumbent on the Administrator;
- processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
(2) The processing of personal data by the Controller requires in each case the existence of at least one of the grounds indicated above. The specific grounds for the processing of Customers‘ personal data are indicated below
PURPOSE, BASIS, DURATION AND SCOPE OF DATA PROCESSING
- Each time, the purpose, basis, period and scope and recipients of the personal data processed by the Administrator results from the activities undertaken by the respective Customer in the Online Shop. For example, if the Customer decides to purchase from the Online Shop and chooses personal collection of the purchased Goods instead of courier delivery, his/her personal data will be processed for the purpose of executing the concluded Sales Agreement, but will no longer be made available to the carrier carrying out the delivery on behalf of the Administrator.
2 The controller may process personal data in the Online Shop for the following purposes, on the following grounds, for the following periods and to the following extent:
|Purpose of data processing||Legal basis for processing / data retention period||Scope of data processing|
|Performance of a Sales Contract or an agreement for the provision of an Electronic Service||Article 6(1)(b) of the RODO Regulation (performance of a contract)|
The data shall be stored for the period necessary for the performance, termination or otherwise expiry of the concluded contract.
|Scope: first and last name; e-mail address; contact telephone number; delivery address (street, house number, apartment number, postal code, town, country), residential/business/residence address (if different from delivery address), IP address, customer ID.|
|Bookkeeping||Article 6(1)(c) of the RODO Regulation in conjunction with Article 74(2) of the Accounting Act, i.e. of 30 January 2018. (Journal of Laws 2018, item 395)|
The data shall be kept for the period required by law requiring the Administrator to keep tax books (until the expiry of the limitation period for tax liability, unless otherwise provided by tax laws) or accounting records (5 years, counting from the beginning of the year following the financial year to which the data relates).
|Name; residential/business/residential address (if different from delivery address), company name and tax identification number (NIP) of the customer|
|Establishing, asserting or defending claims which the Administrator may assert or which may be asserted against the Administrator||Article 6(1)(f) of the RODO Regulation|
The data shall be stored for the period of existence of the legitimate interest pursued by the Administrator, but no longer than the period of limitation of claims against the data subject in respect of the Administrator’s business activities. The period of limitation is determined by law, in particular the Civil Code (the basic limitation period for claims related to the conduct of business activities is three years, and for a sales contract it is two years).
|Name; contact telephone number; e-mail address; delivery address (street, house number, apartment number, postal code, town, country), residential/business/residence address (if different from delivery address).|
RECIPIENTS OF THE DATA
(1) For the proper functioning of the Online Shop, including the performance of concluded Sales Agreements, it is necessary for the Administrator to use the services of external entities. The Administrator shall only use the services of such processors who provide sufficient guarantees of the implementation of appropriate technical and organisational measures so that the processing meets the requirements of the RODO Regulation and protects the rights of the data subjects.
(3) Personal data of the Customers of the Online Shop may be transferred to the following recipients or categories of recipients:
- carriers/courier brokers – in the case of a Customer who uses the method of delivery of the Goods by post or courier service in the Internet Shop, the Administrator makes the collected personal data of the Customer available to the selected carrier or broker executing the shipment on the order of the Administrator to the extent necessary to execute the delivery of the Goods to the Customer.
- entities handling electronic or credit card payments – in the case of a Customer who uses the electronic or credit card payment method in the Internet Shop, the Administrator shall make the collected personal data of the Customer available to a selected entity handling the aforementioned payments in the Internet Shop on the order of the Administrator to the extent necessary to handle the payment made by the Customer.
(1) The Administrator may use profiling on the Online Store for marketing purposes, but the decisions made on its basis by the Administrator do not concern the conclusion or refusal of the Sales Agreement or the possibility of using the services on the Online Store. The effect of the use of profiling in the Online Shop may be, for example, to grant a person a discount, to send him/her a discount code, to remind him/her of unfinished purchases, to send a proposal of goods that may correspond to the person’s interests or preferences or to offer better conditions compared to the standard offer of the Online Shop. Despite the profiling, it is up to the individual to decide freely whether he or she wishes to take advantage of the discount or better conditions received in this way and make a purchase from the Online Shop.
(2) Profiling in the Online Shop involves the automatic analysis or prediction of a person’s behaviour on the website of the Online Shop, e.g. by adding a specific Item to the basket, browsing the page of a specific Item in the Online Shop, or by analysing the previous history of purchases made in the Online Shop. The condition for such profiling is that the Administrator is in possession of the person’s personal data in order to be able to subsequently send the person, for example, a discount code.
(3) The data subject shall have the right not to be subject to a decision which is based solely on automated processing, including profiling, and which produces legal effects in relation to the data subject or similarly significantly affects the data subject.
RIGHTS OF THE DATA SUBJECT
(1) Right of access, rectification, restriction, erasure or portability – The data subject has the right to request from the Controller access to his/her personal data, rectification, erasure („right to be forgotten“) or restriction of processing and has the right to object to the processing, and has the right to portability of his/her data. The detailed conditions for exercising the rights indicated above are indicated in Articles 15-21 of the RODO Regulation.
2. right to withdraw consent at any time – a person whose data is processed by the Controller on the basis of expressed consent has the right to withdraw consent at any time without affecting the lawfulness of the processing carried out on the basis of consent before its withdrawal.
3 The right to lodge a complaint to the supervisory authority – the person whose data is processed by the Controller has the right to lodge a complaint to the supervisory authority in the manner and mode specified in the provisions of the RODO Regulation and Polish law, in particular the Personal Data Protection Act. The supervisory authority in Poland is the President of the Office for Personal Data Protection.
4 Right to object – The data subject shall have the right to object at any time – on grounds relating to his or her particular situation – to the processing of personal data concerning him or her based on Article 6(1)(e) (public interest or tasks) or (f) (legitimate interest of the controller), including profiling under these provisions. In such a case, the controller shall no longer be allowed to process these personal data, unless the controller demonstrates the existence of compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or grounds for the establishment, exercise or defence of claims.
(5) In order to exercise the rights referred to in this paragraph, the Administrator may be contacted by sending an appropriate message in writing or by e-mail to the Administrator’s address indicated in paragraph 1.
COOKIES IN THE WEBSHOP, USAGE DATA AND ANALYTICS
(1) Cookies are small text files sent by a server and stored on the website of the Internet Shop (e.g. on the hard drive of a computer, laptop or smartphone memory card – depending on the device used by the visitor to our Internet Shop). Detailed information on cookies as well as the history of their creation can be found, among others, here: http://pl.wikipedia.org/wiki/Ciasteczko.
(2) The Administrator may process the data contained in cookies when visitors use the website of the Internet Shop for the following purposes:
- identify Customers as logged in to the Online Shop and show that they are logged in;
- remembering the Goods added to the shopping basket for the purpose of placing an Order;
- storing data from completed Order Forms, surveys or login data to the Online Shop;
- to adapt the content of the Internet Shop’s website to the individual preferences of the Customer (e.g. as regards colours, font size, page layout) and to optimise the use of the Internet Shop’s pages;
- to keep anonymous statistics showing how the website of the Online Shop is used;
- remarketing, i.e. the study of the behavioural characteristics of visitors to the Online Shop through anonymous analysis of their actions (e.g. repeated visits to certain pages, keywords, etc.) in order to create their profile and provide them with advertising tailored to their anticipated interests, also when they visit other websites on the advertising network of Google Inc. and Facebook Ireland Ltd;
5 Detailed information on how to change the settings for cookies and how to delete them yourself in the most popular web browsers is available in the help section of your browser.
(6) The administrator may use on the Online Shop the services Google Analytics, Universal Analytics provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA), the Facebook Pixel service provided by Facebook Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) and the Heatmap service provided by HeatMap, Inc. These services help the Administrator to analyse traffic on the Online Shop. The data collected is processed as part of the above services in an anonymised manner (this is so-called exploitation data, which prevents the identification of a person) for the purpose of generating statistics to assist in the administration of the Online Shop. This data is aggregated and anonymous, i.e. it does not contain identifying characteristics (personal data) of persons visiting the website of the Internet Shop. When using the above services in the Internet Shop, the Administrator collects such data as the source and medium of obtaining visitors to the Internet Shop and the manner of their behaviour on the website of the Internet Shop, information on the devices and browsers from which they visit the website, IP and domain, geographical data and demographic data (age, gender) and interests.
7 It is possible for a person to easily block Google Analytics from sharing information about their activity on the Online Shop website – for this purpose, you can install a browser add-on provided by Google Inc. available here: https://tools.google.com/dlpage/gaoptout?hl=pl