TABLE OF CONTENTS:
BASES OF DATA PROCESSING
PURPOSE, BASIS, TERMAND SCOPE OF DATA PROCESSING IN THE INTERNET SHOP
RECIPIENTS OF DATA IN THE INTERNET SHOP
PROFILING IN THE INTERNET SHOP
RIGHTS OF DATA SUBJECT
COOKIES IN THE INTERNET SHOP, OPERATIONAL DATA AND ANALYTICS
1.2. The controller of personal data gathered by the Internet Shop is Mateusz Lasota conducting business activity under the business name of ISO TRADE MATEUSZ LASOTA entered in the Central Registration and Information on Business of the Republic of Poland maintained by the minister of economy, holding address of the business office and address for deliveries: Rzeczypospolitej Street 116, 59-220 Legnica, Taxpayer Identification Number (NIP) 6912221018, business statistical number (REGON) 020206884, e-mail: firstname.lastname@example.org and the telephone number: 666002003 – hereinafter referred to as the „Controller” and being at the same time the Service Provider of the Internet Shop and the Seller.
1.3. Personal data in the Internet Shop are processed by the Controller in accordance with the applicable laws, especially according to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, (general data protection regulation) – hereinafter referred to as “GDPR” or GDPR “Regulation”. The official text of GDPR can be found here: http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELEX%3A32016R0679
1.5. The Controller shall exercise due care in order to protect interests of data subjects whose data are processed by the Controller, especially the Controller shall be liable and ensures that the data are: (1) processed in accordance with the law; (2) collected for specific legal purposes and are not subject to illegal processing; (3) correct and adequate as regards their content in relation to purposes for which they are processed; (4) stored in the form that enables identification of data subjects, no longer than it is indispensable to reach the purpose of processing and (5) processed in the manner ensuring relevant safety of personal data, including protection against unauthorised or illegal processing and accidental loss, destruction or damage, with the use of suitable technical or organizational measures.
1.6. Taking into account the nature, scope, context and purposes of processing as well as the risk of infringing rights or freedom of natural persons of various probability and importance of threat, the Controller implements relevant technical and organizational measures so that the data were processed in accordance with this regulation and he/she was able to demonstrate it. Such measures are reviewed and updated, if necessary. The Controller applies technical measures that prevent personal data sent electronically from being gained and modified by unauthorised entities.
2.BASES OF DATA PROCESSING
2.1. The Controller shall be authorised to process personal data in cases and in the scope in which at least one of the following conditions is met: (1) a data subject has given its consent to the processing of its personal data for one or a greater number of specific purposes; (2) processing is necessary to execute the agreement to which the data subject is a party or to take actions at the request of the data subject before the conclusion of the agreement; (3) processing is necessary to meet a legal obligation imposed by the Controller; or (4) processing is required for purposes resulting from legally justified interests realized by the Controller or a third party, subject to situations in which interests or fundamental rights and freedom of a data subject requiring personal data protection are superior to such interests, especially when the data subject is a minor.
2.2. Personal data processing by the Controller requires each time the existence of at least one of bases specified in clause 2.1 above. Concrete basics of processing of personal data by the Controller of Service Recipients and Clients of the Internet Shop are specified in the clause below – in relation to a given purpose of data processing by the Controller.
3. PURPOSE, BASIS, TERMAND SCOPE OF DATA PROCESSING IN THE INTERNET SHOP
3.1. Each time the purpose, base, period and scope as well as recipients of personal data processed by the Controller result from actions taken by a given Service Recipient or Client in the Internet Shop. For instance, if the Client decides to make purchase in the Internet Shop and chooses personal collection of the Product instead of a courier mail, its personal data shall be processed for the purpose of executing the Sales Contract but will not be made available to the carrier responsible for the delivery upon the order of the Controller.
3.2. The Controller can process personal data in the Internet Shop for the following purposes, on the following bases, in the following periods and in the following scope:
Purpose of data processing
Legal basis of processing and period of storing data
Scope of processed data
Performance of the agreement for the provision of Electronic Service or taking actions at the request of a data subject before the conclusion of the agreement
Art. 6 par. 1 letter b) of GDPR (performance of the agreement)
Data are stored for a period that is necessary for the performance, termination or other expiry of the agreement.
Maximum scope: name and surname, name of the company, address of electronic mail; telephone number, place of delivery (street, house number, room number, postal code, city, country), address of residence/address of business activity/address of the registered office (if different than the delivery address), Taxpayer Identification Number (NIP).
It is a maximum scope – in case of personal collection there is no need to provide the address of delivery.
Art. 6 par. 1 letter f) of GDPR (legally justified interest of the controller)
Data are stored for a period of the existence of legally justified interest of the Controller, however, no longer than for a period of limitation for claims in relation to the data subject on account of business activity conducted by the Controller. The limitation period is specified by the provisions of the law, especially of the Civil Code (basic limitation period for claims connected with business activity amounts to three years, whereas two years for a sales contract).
The Controller cannot process the data for the purpose of direct marketing in the event of an effective objection in this scope expressed by the data subject.
Address of electronic mail
Art. 6 par. 1 letter a) of GDPR (consent)
Data are stored until the moment the consent to further processing of data for this purpose has been withdrawn by the data subject.
Name, address of electronic mail
Keeping of the accounting books
Art. 6 par. 1 letter c) of GDPR in connection with art. 74 par. 2 of the Accounting Act, i.e. of 30 January 2018 (Journal of Laws of 2018, item 395)
Data are stored for a period required by the law that imposes an obligation on the Controller to store accounting books (5 years counting from the beginning of the year following the financial year to which data refer).
Name and surname; address of residence/address of business activity/address of the registered office (if different than the delivery address name of the company and taxpayer identification number (NIP) of the Service Recipient or the Client
Establishing, pursuing or protecting against claims to be laid by the Controller or that can be laid towards the Controller
Art. 6 par. 1 letter f) of GDPR
Data are stored for a period of the existence of legally justified interest of the Controller, however, no longer than for a period of limitation for claims in relation to the data subject on account of business activity conducted by the Controller. The limitation period is specified by the provisions of the law, especially of the Civil Code (basic limitation period for claims connected with business activity amounts to three years, whereas two years for a sales contract.
Name and surname; name of the company, telephone number; address of electronic mail; delivery address (street, house number, room number, postal code, city, country), address of residence/address of business activity/address of the registered office (if different than the delivery address)
In case of Service Recipients or Clients not being consumers the Controller can additionally process the name of the company and a taxpayer identification number (NIP).
4. RECIPIENTS OF DATA IN THE INTERNET SHOP
4.1. In order for the Internet Shop to operate properly, including the conclusion of Sales Contracts, it is indispensable for the Controller to use services of external entities (such as e.g. supplier of software, courier or payment service provider). The Controller uses only services of processing entities that provide sufficient guarantees of implementing relevant technical and organizational measures so that the processing of data meet the requirements provided for in RODO Regulation and protect rights of data subjects.
4.3. Personal data of Service Recipients and Clients of the Internet Shop can be provided to the following recipients or categories of recipients:
carriers / shipper / courier brokers – if the Client chooses mail or courier shipment in the Internet Shop, the Controller provides personal data of the Client to a selected carrier, shipper or agent delivering Products upon the order of the Controller in the scope that is necessary to execute delivery of the Product to the Client.
Entities offering electronic payment services or payments by card – if the Client decides to pay in the Internet Shop with the use of electronic payment or payment by card, the Controller provides personal data of the Client to a selected entity offering the aforementioned services in the Internet Shop upon the order of the Controller in the scope that is necessary to execute payment of the Client.
5. PROFILING IN THE INTERNET SHOP
5.2.The Controller can use profiling in the Internet Shop for the purpose of direct marketing but decisions made on its basis by the Controller do not refer to the conclusion or refusal to conclude the Sales Contract, or a possibility of using Electronic Services in the Internet Shop. The use of profiling in the Internet Shop may result, for instance, in awarding a discount to a given person, sending them a discount code, notification on unfinished purchase, sending a proposal of a Product that may corresponds to interests or preferences of a given person, or proposing more beneficial conditions in comparison to a standard offer of the Internet Shop. Anyway, a given person makes own decisions whether to use such discount or better conditions and to make purchase in the Internet Shop.
5.3. Profiling in the Internet Shop consists in an automatic analysis or forecast of behaviours of a given person on the website of the Internet Shop, e.g. by adding a concrete Product to the basket, viewing the website of a concrete Product in the Internet Shop or by analysing the existing purchase history in the Internet Shop. Such profiling is possible provided that the Controller holds personal data of a given person in order to be able to provide such person e.g. with a discount code.
5.4. The data subject has the right not to be subject to the decision that is based exclusively on the automated processing, including profiling, and results in legal consequences for such data subject or has a similar impact on it.
6. RIGHTS OF DATA SUBJECT
6.1. The right to access, rectify, limit, delete or transfer – a given data subject has the right to request the Controller to access his/her data, to rectify them, to delete them („the right of being forgotten”) or to limit the processing as well as has the right to object to the processing, and the right to transfer his/her data. Detailed terms and conditions of exercising the aforementioned rights are included in art. 15-21 of GDPR.
6.2. The right to withdraw the consent at any time – the data subject whose data are processed by the Controller on the basis of the consent given (pursuant to art. 6 par. 1 letter a) or art. 9 par. 2 letter a) of GDPR) has the right to withdraw the consent at any time without any impact on the compliance with the right to process made on the basis of such consent before it was withdrawn.
6.3. The right to lodge a complaint to a supervisory authority – the data subject whose data are processed by the Controller has the right to lodge a complaint to a supervisory authority in the manner and in accordance with the provisions of GDPR and the Polish law, especially the Personal Data Protection Act. The President of Personal Data Protection Office is the supervisory authority in Poland.
6.4. The right to object – the data subject has the right to object at any time – for reasons related to its special situation – to the processing of data based on art. 6 par. 1 letter e) (interest or public tasks) or f) (legally justified interest of the Controller), including profiling based on these regulations. In such event the Controller must not process such personal data unless it manifests legally justified bases for such processing, superior to the interests, rights and freedom of the data subject or bases for establishing, pursuing or protecting claims.
6.5. The right to object related to direct marketing – if personal data are processed for the purpose of direct marketing, the data subject has the right at any time to object to such processing of its personal data for the purpose of such marketing, including profiling, in the scope in which the processing is connected with such direct marketing.
7. COOKIES IN THE INTERNET SHOP, OPERATIONAL DATA AND ANALYTICS
7.1. Cookies include small text information in the form of text files, sent via server and saved on a hard disc, laptop or a memory card of a smartphone of an individual vising the website of the Internet Shop – depending on the type of device used by the visitor of our Internet Shop). Detailed information about Cookies and their history can be found here: http://pl.wikipedia.org/wiki/Ciasteczko.
7.2. The Controller can process the data included in Cookies while users visit the website of the Internet Shop for the following purposes:
Identification of Service Recipients as logged in the Internet Shop and showing that they are logged;
Saving Products added to the basket for the purpose of placing the Order;
Saving data provided in Order Forms, surveys or logging data in the Internet Shop;
Adjustment of the content of the website of the Internet Shop to individual preferences of the Service Recipient (e.g. related to colours, font size, layout) and optimization of use of the website of the Internet Shop;
Making anonymous statistics showing how the website of the Internet Shop is used;
remarketing, i.e. examination of behaviours of people vising the Internet Shop by way of an anonymous analysis of such behaviours (e.g. repeating visits on specific sites, key words etc.) for the purpose of creating their profile and providing them with advertisements adjusted to their anticipated interests, also when they visit other websites in Google Inc. and Facebook Ireland Ltd. Advertisement networks;
7.3. Usually the majority of Internet browsers available in the market accepts saving of Cookies by design. Everyone can define terms and conditions of using Cookies with the use of settings of own Internet browser. It means that it is possible to temporarily limit or completely disable saving of Cookies – however, if Cookies are disabled it may have an influence on some functionalities of the Internet Shop (for instance, it may become impossible to go through the process of placing the Order with the use of the Order Form since Products in the basket will not be saved at the successive steps of the Order).
7.5. Detailed information related to the change of settings concerning Cookies and their independent removal in the most popular Internet browsers is available in the ‘Help’ section of the browser and on the following sites (click the link):
Internet Explorer browser
Microsoft Edge browser
7.6. The Controller can use Google Analytics, Universal Analytics provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) in the Internet Shop. These services help the Controller analyse movement in the Internet Shop. Gathered data are processed as part of the aforementioned services in an anonymised manner (they are the so-called operational data that enable identification of a given person) to generate statistics supporting the administration of the Internet Shop. The data are of collective and anonymous nature, i.e. they do not contain identification features (personal data) of people visiting the Internet Shop. Using the aforementioned services in the Internet Shop the Controller gathers such data as sources and medium of gaining visitors of the Internet Shop as well as their behaviours in such Internet Shop, information related to devices and browsers used to visit our website, IP and domain, geographical data and demographic data (age, sex) and interests.
7.7. The information on the activity in the Internet Shop can be easily blocked for Google Analytics – to this effect a useful addition to the browser can be installed provided by Google Inc. available here: https://tools.google.com/dlpage/gaoptout?hl=pl.
8. FINAL PROVISIONS