I. Personal data controller
- The controller of personal data within the meaning of Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR) is Elit-Designer Spółka z ograniczoną odpowiedzialnością [Limited Liability Company] with registered office in Tomaszów Mazowiecki under the address ul. Warszawska 105 B, 97-200 Tomaszów Mazowiecki, entered in the Register of Entrepreneurs of the National Court Register kept by the District Court Łódź-Śródmieście in Łódź, 20th Commercial Division of the National Court Register under the National Court Register number: 0000620794, NIP [Tax Identification Number]: 7732479098, REGON [National Business Registry Number]: 364593370, initial capital of PLN 20,000;
- Email address of the controller: email@example.com.
- In accordance with Article 32(1) of the GDPR, the controller shall observe the principle of personal data protection and shall take appropriate technical and organisational measures to prevent accidental or unlawful destruction, loss, modification, unauthorised disclosure or unauthorised access to personal data processed in connection with the conducted activity.
- The provision of personal data by the customer is voluntary, but necessary in order to enter into an agreement with the data controller.
- The controller shall process personal data to the extent necessary for the performance of an agreement or the provision of services to the data subject.
II. Purpose and basis of processing of personal data
The controller processes personal data for the following purposes:
- the preparation of a commercial offer in response to the customer’s interest, which is a legitimate interest of the data controller (Article 6(1)(f) GDPR);
- the conclusion and performance of sales agreements with customers, on the basis of the agreement concluded (Article 6(1)(b) GDPR);
- the provision of services by electronic means through the Online Shop, on the basis of the agreement concluded (Article 6(1)(b) GDPR);
- the handling of the complaint procedure, on the basis of the data controller’s obligations in connection with the applicable legal provisions (Article 6(1)(c) GDPR);
- accounting related to the issuing and acceptance of accounting documents, on the basis of tax law provisions, including the Act of 29 September 1994 on accounting and the Act of 11 March 2004 on Value Added Tax (Article 6(1)(c) of the GDPR);
- archiving data for the possible establishment, investigation or defence against claims or the need to prove facts, which constitutes a legitimate interest of the data controller (Article 6(1)(f) GDPR);
- contact via telephone or email, in particular in response to enquiries to the controller, which constitutes a legitimate interest of the controller (Article 6(1)(f) GDPR);
- sending technical information on the functioning of the Online Shop and the services used by the Customer, which constitutes a legitimate interest of the data controller (Art. 6(1)(f) GDPR);
- marketing of the controller’s own products, which constitutes its legitimate interest (Article 6(1)(f) GDPR) or takes place on the basis of previously granted consent (Article 6(1)(a) GDPR).
III. Data recipients. Transfers of data to third countries
- Recipients of personal data processed by the controller may be entities cooperating with the controller when it is necessary for the performance of an agreement concluded with the data subject.
- Recipients of personal data processed by the controller may also be subcontractors – entities whose services are used by the controller for data processing, e.g. accounting firms, law firms, entities providing IT services (including hosting services).
- The controller may be obliged to disclose personal data under applicable laws, in particular to disclose personal data to authorised state authorities or institutions.
- Personal data will not be transferred to an entity located outside the European Economic Area.
IV. Period of retention of personal data
- The controller shall store personal data for the duration of the agreement concluded with the data subject and after its termination for the purposes related to the pursuit of claims arising out of the agreement, the performance of obligations under applicable laws, but for no longer than the limitation period provided for in the Civil Code.
- The controller shall store the personal data contained in the accounting documents for the period of time indicated by the provisions of the Value Added Tax Act and the Accounting Act.
- The data controller shall store personal data processed for marketing purposes for a period of 10 years, but no longer than until the withdrawal of consent or objection to the processing.
- The controller shall store personal data for purposes other than those referred to in paragraphs 1 to 3 for a period of 3 years, unless the consent to data processing has been withdrawn beforehand and the processing cannot be continued on a basis other than the data subject’s consent.
V. Rights of the data subject
- Every data subject has the following rights:
- The Right of Access – to obtain confirmation from the controller as to whether or not his or her personal data are being processed. If the person’s data are processed, he/she is entitled to have access to them and to obtain the following information: the purposes of the processing, the categories of personal data, information about the recipients or categories of recipients to whom the data have been or will be disclosed, the period of storing data or the criteria for determining it, the data subject’s right to request rectification, erasure or restriction of processing of personal data and to object to such processing (Article 15 GDPR);
- The right to obtain a copy of the data – to obtain a copy of the data processed, the first copy being free of charge while for subsequent copies the controller may charge a reasonable fee based on administrative costs (Article 15(3) GDPR);
- The Right to Rectification – to request the rectification of personal data concerning him/her that is inaccurate or the completion of incomplete data (Article 16 GDPR);
- The Right to Erasure – to request the erasure of his/her personal data where the controller no longer has a legal basis for processing them or the data are no longer necessary for processing purposes (Article 17 GDPR);
- The Right to Restriction of Processing – request restriction of processing of personal data (Article 18 GDPR) when:
- the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
- the data subject has objected to processing – pending the verification whether the legitimate grounds of the controller override those of the data subject
- The Right to Data Portability – to receive the personal data concerning him or her which he or she has provided to the controller, in a structured, commonly used and machine-readable format , and to request that these data be sent to another controller, where the data are processed on the basis of the data subject’s consent or a contract concluded with him or her and where the data are processed by automated means (Article 20 GDPR);
- The Right to Object – to object to the processing of his/her personal data for the legitimate purposes of the controller, on grounds relating to his/her particular situation, including profiling. The controller shall then assess the existence of compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subjects, or for the establishment, exercise or defence of legal claims. If, according to the assessment, the interests of the data subject override the interests of the controller, the controller will be obliged to cease processing for these purposes (Article 21 GDPR).
- In order to exercise the aforementioned rights, the data subject should contact the controller using the contact details provided and inform him/her which right and to what extent he/she wishes to exercise.
- The data subject has the right to lodge a complaint with the supervisory authority, which is the President of the Personal Data Protection Office in Warsaw.
Personal data obtained by the data controller will not be processed by automated means, including profiling.