PRIVACY AND COOKIES POLICY OF ksiegarniaipn.pl
ONLINE STORE CONTENTS:
- GENERAL PROVISIONS
- BASIS FOR DATA PROCESSING
- PURPOSE, BASIS, AND PERIOD OF DATA PROCESSING IN THE ONLINE STORE
- RECIPIENTS OF DATA IN THE ONLINE STORE
- PROFILING IN THE ONLINE STORE
- RIGHTS OF DATA SUBJECTS
- COOKIES AND ANALYTICS IN THE ONLINE STORE
- FINAL PROVISIONS
1. GENERAL PROVISIONS
1.2. The Controller of personal data collected through the Online Store is DANTE G. BARAN, G. FUGIEL SPÓŁKA JAWNA with its registered office in Kraków (registered office and delivery address: ul. Ojcowska 1, 31-344 Kraków); entered into the Register of Entrepreneurs of the National Court Register under the number KRS [National Court Register Number] 0000767656; the registry court where the company's records are kept: District Court for Kraków- Śródmieście in Kraków, XI Commercial Department of the National Court Register; NIP [Tax Identification Number]: 6791351324; REGON [National Official Business Registry Number]: 351088477, e-mail address: firstname.lastname@example.org, contact telephone number: 530-473-263 – hereinafter referred to as Online Store Service Provider and Seller.
1.3. In the Online Store, personal data are processed by the Controller in accordance with applicable laws, in particular in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as the „GDPR” or „the GDPR Regulation”. Official text of the GDPR Regulation: http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELEX%3A32016R0679
1.5. The Controller shall exercise due care to protect the interests of persons whose personal data it processes and, in particular, shall be responsible for and ensure that the data it collects are: (1) processed lawfully; (2) collected for specified, legitimate purposes and not subjected to further processing incompatible with those purposes; (3) substantively correct and adequate in relation to the purposes for which they are processed; (4) stored in a form which enables the identification of data subjects for a period no longer than necessary for the achievement of the purpose of the processing; and (5) processed in a way which ensures adequate security of personal data, including protection against unauthorised or unlawful processing as well as against accidental loss, destruction or damage, by means of appropriate technical or organisational measures.
1.6. Having regard to the nature, scope, context, and purposes of the processing, as well as the risk of violation of the rights or freedoms of natural persons of varying probability and gravity, the Controller shall implement appropriate technical and organisational measures to ensure that the processing is carried out in accordance with the GDPR Regulation and to be able to demonstrate it. These measures are reviewed and updated as needed. The Controller uses technical measures to prevent unauthorised persons from obtaining and modifying personal data transmitted electronically.
2. BASIS FOR DATA PROCESSING
2.1. The Controller shall be entitled to process personal data where, and to the extent that, at least one of the following conditions is met: (1) the data subject has given consent to the processing of their personal data for one or more specified purposes; (2) the processing is necessary for the performance of an agreement to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into an agreement; (3) the processing is necessary for the performance of a legal obligation imposed on the Controller; or (4) the processing is necessary for the purposes of legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, requiring the protection of personal data, in particular where the data subject is a child.
3. PURPOSE, BASIS, AND PERIOD OF DATA PROCESSING IN THE ONLINE STORE
3.1. Each time, the purpose, basis, period, and scope as well as recipients of the personal data processed by the Controller result from the activities undertaken by a given Service User or Customer in the Online Store. For example, if the Customer decides to make purchases in the Online Store and chooses in-person collection of the purchased Product instead of courier delivery, their personal data will be processed in order to perform the Sales Agreement concluded but will no longer be made available to the carrier performing the shipment on behalf of the Controller.
3.2. The Controller may process personal data within the framework of the Online Store for the purposes, on the basis and for periods indicated in the table below:
|Purpose of data processing||Legal basis for data processing||Period of data storage|
|Performance of the Sales Agreement or an agreement for the provision of an Electronic Service or taking steps at the request of the data subject prior to the conclusion of the above-mentioned agreements.||Article 6 par. 1 letter (b) of the GDPR Regulation (performance of the agreement) – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;||Data is stored for a period required to perform, terminate, or otherwise expire the concluded Sales Agreement or Agreement for the Provision of an Electronic Service.|
|Direct marketing||Article 6 par. 1 letter (f) of the GDPR Regulation (legitimate interests pursued by the controller) – processing is necessary for purposes resulting from the Controller's legitimate interests – consisting in caring for the interests and the positive image of the Controller, his Online Store, and seeking to sell the Products.||The data is stored for the period of the existence of legitimate interest pursued by the Controller, however, not longer than for the limitation period for the Controller's claims with regard to the data subject arising on the grounds of the Controller's business activity. The limitation period is determined by law, in particular, the Civil Code (the basic limitation period for claims related to the conduct of business is three years, and for sales agreements - two years). The Controller may not process data for direct marketing purposes if the data subject has raised an effective objection in this respect.|
|Marketing||Article 6 par. 1 letter (a) of the GDPR Regulation (consent) – the data subject has consented to the processing of his or her data by the Controller for marketing purposes.||Dane Data is stored until the withdrawal of consent by the data subject for further processing of his or her data for this purpose.|
|The expression of opinion about the Sales Agreement concluded by the Customer||Article 6 par. 1 letter (a) of the GDPR Regulation – the data subject has consented to the processing of his or her personal data for the purposes of expression of opinion.||Data is stored until the withdrawal of consent by the data subject for further processing of his or her data for this purpose.|
|Tax purposes||Article 6 par. 1 letter (c) of the GDPR Regulation in conjunction with Art. 86 § 1 of the Tax Ordinance, consolidated text of 17 January 2017 (Dz. U. /Journal of Laws/ of 2017 item 201 as amended) – the processing is necessary for the performance of a legal obligation imposed on the Controller.||Data is stored for the period required by law that obliges the Controller to store tax records (until the expiry of the limitation period for tax liability unless tax laws provide otherwise).|
|Determination, pursuit or defence of claims that the Controller may assert or that may be asserted against the Controller||Article 6 par. 1 letter (f) of the GDPR Regulation (legitimate interest pursued by the controller) – processing is necessary for purposes resulting from the Controller's legitimate interests – consisting in the determination, pursuit, or defence of claims that the Controller may assert or that may be asserted against the Controller.||The data is stored for the period of the existence of legitimate interest pursued by the Controller, however, not longer than for the limitation period for the claims that may be raised against the Controller (the basic limitation period for claims against the Controller amounts to six years).|
|Using the Online Store website and ensuring its correct operation||Article 6 par. 1 letter (f) of the GDPR Regulation (legitimate interests pursued by the controller) – processing is necessary for purposes resulting from the Controller's legitimate interests – consisting in running and maintaining the Online Store website.||The data is stored for the period of the existence of legitimate interest pursued by the Controller, however, not longer than for the limitation period for the Controller's claims with regard to the data subject arising on the grounds of the Controller's business activity. The limitation period is determined by law, in particular, the Civil Code (the basic limitation period for claims related to the conduct of business is three years, and for sales agreements - two years).|
|Keeping statistics and traffic analysis in the Online Store||Article 6 par. 1 letter (f) of the GDPR Regulation (legitimate interests pursued by the controller) – processing is necessary for purposes resulting from the Controller's legitimate interests – consisting in keeping statistics and analysing traffic in the Online Store for the purposes of improving the operation of the Online Store and increasing the sales of Products.||The data is stored for the period of the existence of legitimate interest pursued by the Controller, however, not longer than for the limitation period for the Controller's claims with regard to the data subject arising on the grounds of the Controller's business activity. The limitation period is determined by law, in particular, the Civil Code (the basic limitation period for claims related to the conduct of business is three years, and for sales agreements - two years).|
4. RECIPIENTS OF DATA IN THE ONLINE STORE
4.1. For the proper functioning of the Online Store, including the execution of Sales Agreements concluded, it is necessary for the Controller to use services of external entities (such as a software provider, courier, or payment processor). The Controller shall only use such processors that provide sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of the GDPR Regulation and protects the rights of the data subjects.
4.4. Personal data of Service Users and Customers of the Online Store may be transferred to the following recipients or categories of recipients:
4.4.1 carriers / forwarders / courier brokers / entities managing the warehouse and/or the shipping process – in the case of a Customer of the Online Store who has the Product delivered by mail or courier, the Controller makes the collected personal data available to the selected carrier, forwarder or broker that conducts shipments at the Controller's request; if the shipment is made from an external warehouse – to the entity managing the warehouse and/or the shipping process – in the extent necessary for delivering the Product to the Customer.
4.4.2 entities processing electronic or credit card payments – in case of a Customer who uses the electronic or credit card payment method in the Online Store, the Controller makes the collected personal data of the Customer available to a selected entity processing the aforementioned payments in the Online Store at the Controller's request to the extent necessary to process the payment made by the Customer.
4.4.3 providers of an opinion poll system – in the case of a Customer who agreed to express his or her opinion about the concluded Sales Agreement, the Controller makes the collected personal data available to the selected entity providing the opinion poll system for the evaluation of the Sales Agreements concluded in the Online Store at the Controller's request to the extent necessary for the Customer to express an opinion using the opinion poll system.
4.4.6 providers of social plug-ins, scripts, and other similar tools placed on the Online Store website that enable the browser of the person visiting the Online Store website to download content from the providers of the abve-mentioned plug-ins (e.g. logging in using a social network login data) and to transfer the visitor's personal data for this purpose to these providers, including:
5. PROFILING IN THE ONLINE STORE
5.2. The Controller can use profiling in the Online Store for direct marketing purposes but decisions made on its basis by the Controller shall not concern the conclusion of or refusal to conclude a Sales Agreement or the possibility of using Electronic Services in the Online Store. The effect of using profiling in the Online Store may be e.g. granting a given person a discount, sending them a discount code, reminding about unfinished shopping, sending a proposal of a Product, which may correspond to the interests or preferences of a given person, or offering better conditions in comparison with the standard offer of the Online Store. Despite the profiling, it is up to the person to freely decide whether they wish to take advantage of the discount received in this way or of better conditions and make a purchase from the Online Store.
5.3. Profiling in the Online Store consists in automatic analysis or prediction of a given person's behaviour on the website of the Online Store, e.g. through adding a particular Product to the shopping cart, browsing the page of a particular Product in the Online Store, or through analysis of the previous history of purchases made in the Online Store. The condition for such profiling is that the Controller must have the personal data of the person in question in order to be able to send them, for example, a discount code.
5.4. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or affects them in a similarly significant way.
6. RIGHTS OF DATA SUBJECTS
6.1. Right to access, rectify, restrict the processing or erase data and the right to data portability - the data subject has the right to request the Controller to enable them to access, rectify or erase their personal data ("right to be forgotten"), as well as restrict or object to the processing thereof, and has the right to data portability. Detailed conditions for the exercise of the rights indicated above are specified in Art. 15-21 of the GDPR Regulation.
6.2. Right to withdraw consent at any time - the person whose data are processed by the Controller on the basis of consent (pursuant to Art. 6 par. 1 letter (a) or Art. 9 par. 2 letter (a) of the GDPR Regulation) has the right to withdraw their consent at any time without affecting the lawfulness of the processing carried out on the basis of such consent prior to its withdrawal.
6.3. Right to lodge a complaint with the supervisory authority – the person whose data is processed by the Controller has the right to lodge a complaint with the supervisory authority in the manner and mode specified in the provisions of the GDPR Regulation and Polish law, in particular the Personal Data Protection Act. The supervisory authority in Poland is the President of the Personal Data Protection Office.
6.4. Right to object – the data subject has the right to object at any moment, for reasons related to his or her specific circumstances, to the processing of his or her data, pursuant to art. 6 par. 1 letter (e) (public interest or tasks) or (f) (legitimate interest of the controller), including profiling under these regulations. In such a case, the Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing, which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defence of legal claims.
6.5. Right to object regarding direct marketing – if personal data is processed for the purposes of direct marketing, the data subject has the right to object to the processing of his or her personal data for the purposes of such marketing, including profiling, at any time, to the extent in which the processing of data is associated with such direct marketing.
7. COOKIES AND ANALYTICS IN THE ONLINE STORE
7.1. Cookie files (cookies) are small text information in the form of text files sent by the server and saved on the side of the visitor to the Online Store (e.g. on the hard drive of the computer, laptop, or smartphone memory card, depending on the device used by the visitor of the Online Store). Detailed information on cookie files and the history of their development can be found i.a. at: https://pl.wikipedia.org/wiki/HTTP_cookie.
7.2. Cookie files that can be sent by the Online Store website can be divided into several types, according to the following criteria:
|Based on their provider:
||Based on the period of their storage on the device of the visitor to the Online Store:
Based on their purpose:
7.3. The Controller may process data contained in Cookie files when visitors are using the Online Store website for the following specific purposes:
|Purposes of using Cookie files in the Controller's Online Store||identification of Service Users as logged in the Online Store and showing that they are logged in (necessary Cookies)|
|remembering Products added to the shopping cart for the purposes of placing an Order (necessary Cookies)|
|remembering data from the filled Order Forms, polls, or Online Store login data (necessary/functional/optional Cookies)|
|customising the content of the Online Store website to the Service User's individual preferences (e.g. regarding colours, font size, website layout) and optimising the use of the Online Store website (functional/optional Cookies)|
|keeping anonymous statistics reflecting the way the Online Store website is used (analytical and performance Cookies)|
|displaying and rendering advertisements and ignoring the advertisements that the Service User does not want to see, measuring the effectiveness of advertisements, and personalising advertisements, which involves studying the behaviour of visitors to the Online Store by anonymously analysing their activities (e.g. repeated visits on specific sites, keywords, etc.) in order to create their profiles and to target them with advertisements customised to their predicted interests, also when they visit other websites that belong to the advertising network of Google Ireland Ltd., Tradedoubler Ltd. and Meta Platforms Ireland Ltd. (marketing, advertising, and social media Cookies)|
7.4. The most popular web browsers allow for checking which Cookie files (as well as the period of operation of Cookie files and their providers) are being sent by the Online Store website at a given moment in the following manner:
In Chrome browser:
In Firefox browser::
(1) in the address bar, click on the shield icon on the left, (2) go to the "Allowed" or "Blocked" tab, (3) click on "Cross-site tracking cookies", "Social network tracking elements" or "Content with tracking elements"
In Internet Explorer browser:
In Opera browser:
(1) in the address bar, click on the padlock icon on the left, (2) go to the "Cookies" tab.
in Safari browser:
(1) click on the "Preferences" menu, (2) go to the "Privacy" tab, (3) click on "Manage site data" box.
|Irrespective of the browser, with tools available, for example, at:: https://www.cookiemetrix.com/ or: https://www.cookie-checker.com/|
7.5. It is the standard for most web browsers available on the market to allow for saving Cookie files by default. Every user can set the terms for the use of Cookie files by customising the settings of their web browser. This means, for example, that it is possible to limit (e.g. for a specific period of time) or to completely block the saving of Cookie files – however, the latter option may impact some functionalities of the Online Store (for example, it may become impossible to trace the Order path through the Order Form, as Products will not be remembered at the subsequent stages of placing the Order).
7.7. In the Online Store, the Controller may use the services of Google Analytics, Universal Analytics provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) These services enable the Controller to keep statistics and to analyse traffic in the Online Store. The collected data are processed as part of the above-mentioned services to generate statistics that support the administration of the Online Store and the analysis of traffic in the Online Store. The data are aggregated. Using the above-mentioned services in the Online Store, the Controller collects data such as the sources and medium of acquisition of visitors to the Online Store, information about the devices and browsers they use to visit the site, IP and domain information, geographical data, demographic data (age and sex), and interests.
7.8. A person can easily block the sharing of information about their activities on the Online Store website to Google Analytics – in order to do this, they can, for example, install a browser add-on provided by Google Ireland Ltd. which can be accessed at: https://tools.google.com/dlpage/gaoptout?hl=pl.
8. FINAL PROVISIONS