1. This document sets out the rules for processing and protecting the personal data of customers of the online store available at www.usaczesci.rzeszow.pl.
2. The owner of the online store and the administrator of personal data of customers - natural persons - and users whose data is concerned is the company Brodmir sp. z o.o. 36-020 Tyczyn, Hermanowa 567, 602 494 759, firstname.lastname@example.org. NIP: 8133886484, Regon: 523338085, KRS: 0000995781, hereinafter referred to as the Administrator and also the Seller.
3. Personal data collected by the Administrator through the online store are processed in accordance with the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR), as well as other currently applicable regulations on the protection of personal data throughout the entire period of processing of such data. Personal data means information about an identified or identifiable natural person (hereinafter referred to as Personal Data). An identifiable natural person is a person who can be directly or indirectly identified, in particular on the basis of an identifier such as name and surname, identification number, internet identifier, location data, one or more factors specific to the physical, genetic, psychological, economic, cultural or social identity of a natural person.
4. The Administrator takes particular care to respect the privacy of customers visiting his online store.
5. Using the service requires processing of customer's personal data such as name and surname, telephone number, e-mail address, address of residence, etc. The data will be processed by Brodmir sp. z o.o. to the extent necessary to conclude and execute the contract. Transactional data, including personal data, may be transferred to "Polskie ePłatności" spółka z ograniczoną odpowiedzialnością with its registered office in Tajęcin (formerly "Paylane" sp. z o.o.), address: Tajęcina 113, 36-002 Jasionka, KRS: 0000227278, NIP 5862141089 and REGON 220010531, to the extent necessary to process payment for the order. The customer has the right to access and correct their data. Providing data is voluntary, but also necessary to use the service.
§ 1 Type of data processed, purposes and legal basis
1. The Administrator collects information regarding natural persons who perform a legal act not directly related to their business activities, natural persons conducting business or professional activities on their own behalf, and natural persons representing legal entities or organizational units that are not legal entities to which the law grants legal capacity and which conduct business or professional activities on their own behalf, hereinafter referred to as "Clients."
2. The purposes of processing Clients' Personal Data by the Administrator include in particular:
a) registration of an account in the Online Store, for the purpose of creating an individual account and managing this account. Legal basis - necessary for the performance of a contract for the provision of the Account service - Art. 6 para. 1 lit. b GDPR;
b) placing an order in the Online Store, for the purpose of performing a sales contract. Legal basis - necessary for the performance of a sales contract - Art. 6 para. 1 lit. b GDPR;
c) subscription to the Newsletter, for the purpose of performing a contract for the provision of an electronic service. Legal basis - the consent of the person whose data is being processed, to perform the service contract for the Newsletter - Art. 6 para. 1 lit. a GDPR.
3. When registering an account for the Newsletter service in the Online Store, the Client provides the following data:
a) email address.
4. When placing an order in the Online Store, the Client provides the following data:
a) email address;
b) address details: postal code and city, country, street, house/apartment number;
c) first name and last name;
d) phone number.
5. Entrepreneurs provide the above data and additionally:
a) Name of the Entrepreneur's company;
b) Tax Identification Number (NIP).
6. When using the Newsletter service, the Client provides data:
a) email address;
b) phone number.
7. Additional information may also be collected during the use of the Online Store, including: the IP address assigned to the Client's computer or external IP address of the Internet provider, domain, browser type, access time, operating system type.
8. Navigational data may also be collected from Clients, including information about links and references they decide to click or other actions taken in our Online Store. Legal basis - legitimate interest - Art. 6 para. 1 lit. f GDPR, allowing for better use of services provided electronically.
9. In order to establish, investigate and enforce claims, some personal data provided by the Client as part of the use of functionalities, including: first name, last name, data concerning the use of services, if claims arise from the way in which the Client uses the services, other data necessary to prove the existence of the claim, including the size of the damage suffered, may also be processed. Legal basis - legitimate interest - Art. 6 para. 1 lit. f GDPR, consisting in establishing, investigating and enforcing claims and defending against claims in proceedings before courts and other state authorities.
10. Personal data collected by the Administrator is voluntarily provided to him, in connection with sales contracts concluded, or also with the provision of services through the Online Store, with the reservation that failure to provide certain data in the Registration process forms renders Registration and the establishment of a Client Account impossible, and in the case of placing an order without registering a Client Account, the inability to process the order.
§ 2 To Whom We Can Disclose Your Data and How Long They Are Stored
1. The catalog of recipients of Personal Data processed by the Administrator primarily results from the scope of services used by the Client. The Client's personal data is transferred to service providers used by the Administrator in operating the Online Store. Service providers of the Administrator to whom personal data is transferred, depending on contractual arrangements and circumstances, are subject to the instructions of the Administrator as to the purposes and methods of processing this data - data processors - or independently determine the purposes and methods of their processing - administrators.
a) Data Processors - The Administrator uses suppliers who process personal data solely on the instructions of the Administrator, including hosting service providers or IT service providers, accounting services, providers of marketing systems, systems for analyzing traffic in the Online Store, systems for analyzing the effectiveness of marketing campaigns, companies carrying out marketing campaigns, and companies servicing software.
b) Administrators - The Administrator also uses suppliers who do not act solely on its instructions and independently determine the purposes and methods of using Customers' personal data. They provide electronic payment services and banking services.
2. Location - Service providers are located in Poland and other countries of the European Economic Area (EEA).
3. Customer's personal data is stored:
a) In the event that the basis for processing personal data is consent given for this purpose, the Customer's personal data is processed by the Administrator until the consent is revoked. After its revocation, personal data is stored for a period corresponding to the statute of limitations for claims that the Administrator may raise and that may be raised against it. Unless a special provision provides otherwise, the limitation period is 10 years, and for claims for periodic services and claims related to business activity, 3 years.
b) In the event that the basis for data processing is the performance of a contract, the Customer's personal data is processed by the Administrator for as long as necessary to perform the contract. After that time, personal data is processed for a period corresponding to the statute of limitations. Unless special provisions provide otherwise, the limitation period is 10 years, for claims for periodic services and claims related to business activity, 3 years.
4. In the event of a purchase in the Online Store, personal data may be transferred, depending on the Customer's choice, to the following entities for the purpose of delivering the products ordered in the Online Store:
a) Poczta Polska S.A. with its registered office in Warsaw;
b) DPD Polska.
5. In the case where a Customer of the Online Store chooses to pay through the Dotpay.pl payment system, his/her personal data is transferred to Dotpay S.A. with its registered office in Krakow (30-552), ul. Wielicka 72, entered into the Register of Entrepreneurs kept by the District Court for Kraków-Śródmieście in Kraków, XI Commercial Division of the National Court Register under KRS number 0000296790, in the scope necessary for payment processing.
6. Navigational personal data may be used to provide Customers with better service, analyze statistical data, adjust the Online Store to Customers' preferences, and administer the Online Store.
7. In the event that the Customer chooses the Newsletter subscription service, the Administrator will send information to his/her email address or SMS messages to his/her phone number.
§ 3 Cookies and IP Addresses
1. Cookies used by the Administrator serve primarily to optimize the service of visitors during the use of the Internet Store and provide the ability to develop statistics of visits to presented products in the Internet Store. These files are saved by the Administrator on the end device of the person visiting the Internet Store, if the web browser allows it. Cookies usually contain the name of the domain from which they originate, their "expiration time," and an individual, randomly selected number identifying these files.
2. Two types of cookies are used:
a) Session cookies - after the browser session has ended or the computer has been turned off, the saved information is deleted from the device's memory. The session cookies mechanism does not allow for the collection of any personal data or any confidential information from customers' computers;
b) Persistent cookies - are stored in the end device's memory of the customer and remain until they are deleted or expire. The persistent cookies mechanism does not allow for the collection of any personal data or any confidential information from customers' computers.
3. The Administrator uses his own cookies for the purpose of:
a) authenticating the customer in the Internet Store and providing him with a customer session after logging into the customer account;
b) anonymous statistics and analysis that help understand how customers use the Internet Store.
4. The Administrator uses external cookies for:
a) collecting statistical data through Google Analytics analytical tools - the administrator of the external cookies: Google Inc, based in the USA;
b) presenting ads from the Google AdSense service - the administrator of the external cookies: Google Inc, based in the USA;
c) promoting the Internet Store on the Facebook.com service - the administrator of the external cookies: Facebook Inc, based in the USA or Facebook Ireland, based in Ireland;
5. The mechanism of cookies is completely safe for the computers of the Internet Store customers. The customer can independently and at any time change the settings regarding cookies, specifying the conditions for their storage and access by cookies to their device. The changes to the settings mentioned can be made using the settings of the web browser. These settings can be changed in particular to block the automatic handling of cookies in the web browser settings or to inform about each time cookies are placed on the customer's device. Detailed information on the possibilities and methods of handling cookies is available in the web browser settings. Blocking cookies may affect some of the functionalities available in the Internet Store.
6. The Administrator may collect customers' IP addresses. An IP address is a number assigned to the computer of the person visiting the Internet Store by the Internet service provider. The IP address is used by the Administrator to diagnose technical problems with the server, create statistical analyses, and improve the Internet Store.
7. The Internet Store contains links and references to other websites on the Internet, and the Administrator is not responsible for the privacy policies applicable on these websites.
§ 4 The rights and obligations of individuals whose personal data is processed by an administrator, according to the General Data Protection Regulation (GDPR).
1. The right to withdraw consent - legal basis, Art. 7(3) of the GDPR.
a) The customer has the right to withdraw any consent they have given to the administrator.
b) The withdrawal of consent takes effect from the moment it is withdrawn.
c) The withdrawal of consent does not affect processing carried out by the administrator in accordance with the law before the withdrawal.
d) Withdrawal of consent does not result in any negative consequences for the customer of the online store, but it may prevent further use of services or functionalities that can only be provided with consent.
2. The right to object to data processing - legal basis, Art. 21 of the GDPR.
a) The customer has the right to object at any time to the processing of their personal data, including profiling, if the administrator processes their data based on a legitimate interest, such as marketing products and services, conducting statistics on the use of individual functionalities of the online store, facilitating the use of the online store, and surveying customer satisfaction.
b) Opting out of receiving commercial messages related to products or services sent by email is an objection by the customer to the processing of their personal data, including profiling for these purposes.
c) If the customer's objection is justified and the administrator has no other legal basis for processing the personal data, the customer's data will be deleted regarding the processing to which they objected.
3. The right to erasure (right to be forgotten) - legal basis, Art. 17 of the GDPR.
a) The customer has the right to request the deletion of all or some of their personal data.
b) The customer has the right to request the deletion of personal data if:
a. personal data is no longer necessary for the purposes for which it was collected or processed;
b. the customer has withdrawn their consent to the extent that the customer's data was processed based on their consent;
c. they object to the use of their data for commercial or marketing purposes;
d. personal data is being processed unlawfully;
e. personal data must be deleted to comply with a legal obligation under EU or Member State law to which the administrator is subject;
f. personal data was collected in connection with the offer of information society services.
c) Despite the request for the erasure of personal data due to an objection or withdrawal of consent, the administrator may retain some personal data to the extent that processing is necessary to establish, exercise or defend legal claims, or to comply with a legal obligation.
4. Right to restriction of processing - legal basis Art. 18 of the GDPR.
a) The Internet Store customer has the right to request the restriction of processing of their data. Such a request may prevent the use of certain functionalities or services that involve processing of the data covered by the request.
b) The Internet Store customer has the right to request the restriction of the use of their personal data in the following situations:
a. When there is a discrepancy in their personal data, the administrator restricts their use for the time necessary to verify the correctness of the data;
b. When the processing of the data is unlawful, and the customer does not request their deletion but rather the restriction of their use;
c. When the customer's personal data is no longer necessary for the purposes for which it was collected or used but is needed by the customer to establish, pursue, or defend claims;
d. When the customer has objected to the use of their data, the restriction occurs for the time necessary to consider whether, due to the customer's particular situation, the protection of their interests, rights, and freedoms prevails over the interests pursued by the administrator in processing the customer's data.
5. Right of access to data - legal basis Art. 15 of the GDPR.
a) The customer has the right to obtain from the administrator confirmation as to whether or not their personal data is being processed, and, if so, the customer has the right to:
a. access their personal data;
b. obtain information about the purposes of processing, recipients or categories of recipients of the data, the planned period of data storage or the criteria for determining this period, the rights available to the customer under the GDPR, and the right to lodge a complaint with a supervisory authority, the source of the data, the existence of automated decision-making, including profiling, and the safeguards used in connection with the transfer of this data outside the European Union;
c. obtain a copy of their personal data.
6. Right to rectification - legal basis Art. 16 of the GDPR.
a) The customer has the right to request the prompt correction by the administrator of their personal data that is inaccurate. Taking into account the purposes of processing, the customer has the right to request the completion of incomplete personal data, including by providing an additional statement, by sending an email to the administrator's email address.
7. Right to data portability - legal basis Art. 20 of the GDPR.
a) The customer has the right to receive their data that they have provided to the administrator and then to send it to another administrator of personal data chosen by them. The Internet Store customer also has the right to request that their personal data be sent by the administrator directly to such an administrator, if this is technically possible. In this situation, the administrator will send the customer's data in a CSV file format, which is a commonly used format.
8. In the event of a request by the customer to exercise their above rights, the administrator has the right to comply with or refuse such a request, and will do so immediately.
9. The customer has the right to submit complaints, inquiries, and requests to the administrator regarding the processing of their personal data and the implementation of their rights.
10. The customer has the right to request the administrator to provide copies of standard contractual clauses by sending an inquiry to the administrator's email address.
11. The customer has the right to lodge a complaint with the President of the Personal Data Protection Office regarding the violation of their rights to personal data protection or other rights granted under the GDPR.
§ 5 Personal data protection
1. The administrator declares that they make every effort to ensure a high level of security for customers using the online store and for this purpose:
a) use the technical and organizational measures required by law, particularly with regard to the security of processing personal data;
b) use measures to ensure continuous confidentiality, integrity, availability and resilience of processing systems and services;
c) have the ability to quickly restore the availability of personal data and access to it in the event of a physical or technical incident;
d) provide customers of the online store with a secure and encrypted connection when transmitting personal data and when logging into their customer account by using an SSL certificate.
2. Any events that affect the security of the transmission of information, personal data, including suspicion of sharing files containing viruses, should be reported to the administrator by email at email@example.com.
§ 6 Final provisions