PRIVACY POLICY OF THE
KOICOSMETICS.PL ONLINE STORE
TABLE OF CONTENTS:
- GENERAL PROVISIONS
- BASIS FOR DATA PROCESSING
- PURPOSE, BASIS, PERIOD AND SCOPE OF PROCESSING IN THE ONLINE STORE
- RECIPIENTS OF DATA IN THE ONLINE STORE
- PROFILING IN THE ONLINE STORE
- RIGHTS OF DATA SUBJECTS
- COOKIES IN THE ONLINE STORE, OPERATIONAL DATA AND ANALYTICS
- FINAL PROVISIONS
1. GENERAL PROVISIONS
1.1. The privacy policy of the Online Store is informational, which means that it is not a source of obligation for Service Users or Customers of the Online Store. The privacy policy contains, first and foremost, rules regarding personal data processing by the Controller in the Online Store, including the basis, purposes and scope of personal data processing and rights of data subjects, as well as information on the use of cookies and analytical tools in the Online Store.
1.2. The Controller of the personal data collected via the Online Store is GRZEGORZ KOZŁOWSKI, conducting business activities under the name KOI COSMETICS, entered in the National Court Register and having the following address of the place of business: ul. Piękna 19, 00-549 Warszawa, and the following address for delivery: ul. Piękna 19/-1, 00-549 Warszawa, NIP [Tax Identification Number] 7010991786, REGON [National Official Business Registry Number] 386619230, KRS [National Court Register Number]: 0000851979 e-mail address: [email protected], phone No.: 604062418, hereinafter called “the Controller”, and being at the same time the Service Provider of the Online Store and the Seller.
1.3. In the Online Store, personal data are processed by the Controller in accordance with applicable laws, in particular in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as the GDPR or the GDPR Regulation. Official text of the GDPR Regulation: http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELEX%3A32016R0679
1.4. The use of the Online Store, including making purchases, is voluntary. Similarly, the related provision of personal data by the Service User or Customer using the Online Store is voluntary, subject to two exceptions: (1) conclusion of agreements with the Controller – failure to provide personal data necessary for the conclusion and performance of a Sales Agreement or an agreement for the provision of an Electronic Service with the Controller in the cases and to the extent indicated on the website of the Online Store and in the Regulations of the Online Store and this Privacy Policy prevents the provision of such an agreement. In such cases, the provision of personal data is a contractual requirement and if the data subject wishes to enter into an agreement with the Controller, they are obliged to provide the required data. Each time the scope of data required to conclude an agreement is indicated beforehand on the website of the Online Store and in the Regulations of the Online Store; (2) the Controller’s statutory obligations – the provision of personal data is a statutory requirement resulting from universally binding legal regulations imposing an obligation on the Controller to process personal data (e.g. processing of data for tax or accounting purposes) and the failure to provide such data will prevent the Controller from performing these obligations.
1.5. The Controller shall exercise due care to protect the interests of persons whose personal data it processes and, in particular, shall be responsible for and ensure that the data it collects are: (1) processed lawfully; (2) collected for specified, legitimate purposes and not subjected to further processing incompatible with those purposes; (3) substantively correct and adequate in relation to the purposes for which they are processed; (4) stored in a form which enables the identification of data subjects for a period no longer than necessary for the achievement of the purpose of the processing; and (5) processed in a way which ensures adequate security of personal data, including protection against unauthorised or unlawful processing as well as against accidental loss, destruction or damage, by means of appropriate technical or organisational measures.
1.6. Having regard to the nature, scope, context and purposes of the processing, as well as the risk of violation of the rights or freedoms of natural persons of varying probability and gravity, the Controller shall implement appropriate technical and organisational measures to ensure that the processing is carried out in accordance with this Regulation and to be able to demonstrate it. These measures are reviewed and updated as needed. The Controller uses technical measures to prevent unauthorised persons from obtaining and modifying personal data transmitted electronically.
1.7. All words, phrases and acronyms appearing in this privacy policy and beginning with a capital letter (e.g. Seller, Online Store, Electronic Service) shall be understood in accordance with the definition contained in the Regulations of the Online Store available at the websites of the Online Store.
2. BASIS FOR DATA PROCESSING
2.1. The Controller shall be entitled to process personal data where, and to the extent that, at least one of the following conditions is met: (1) the data subject has given a consent to the processing of their personal data for one or more specified purposes; (2) the processing is necessary for the performance of an agreement to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into an agreement; (3) the processing is necessary for the performance of a legal obligation imposed on the Controller; or (4) the processing is necessary for the purposes of legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, requiring the protection of personal data, in particular where the data subject is a child.
2.2. In each case, the processing of personal data by the Controller requires the existence of at least one of the grounds indicated in point 2.1 privacy policy. Specific grounds for processing of personal data of Service Users and Customers of the Online Store by the data Controller are indicated in the next section of the privacy policy – with reference to a given purpose of personal data processing by the Controller.
3. PURPOSE, BASIS, PERIOD AND SCOPE OF DATA PROCESSING IN THE ONLINE STORE
3.1. Each time, the purpose, basis, period and scope as well as recipients of the personal data processed by the Controller result from the activities undertaken by a given Service User or Customer in the Online Store. For example, if the Customer decides to make purchases in the Online Store and chooses personal collection of the purchased Product instead of courier delivery, their personal data will be processed in order to perform the Sales Agreement concluded but will no longer be made available to the carrier performing the shipment on behalf of the Controller.
3.2. The Controller may process personal data in the Online Store for the following purposes, on the following grounds, during the following periods and to the following extent:
Purpose of data processing | Legal basis for processing and data retention period | Scope of data processing |
Wykonanie Umowy Sprzedaży lub umowy o świadczenie Usługi Elektronicznej lub podjęcie działań na żądanie osoby, której dane dotyczą, przed zawarciem w/w umów | Performance of a Sales Agreement or an agreement for the provision of Electronic Services, or taking of action at the request of the data subject prior to entering into the above-mentioned agreements Article 6, sec. 1(b) of the GDPR Regulation (performance of the agreement) Data is retained for the period necessary for the performance, termination or expiry in any other way of the agreement concluded. |
Maximum scope: first and last name; e-mail address; contact telephone number; delivery address (street, house number, apartment number, postal code, city, country), residential/business/office address (if different from the delivery address). For Service Users or Customers who are not consumers, the Controller may additionally process the company name and tax identification number (NIP) of the Service User or Customer. The range given is a maximum scope of processing – in the case of e.g. personal collection, it is not necessary to provide a delivery address. |
Direct marketing | Article 6, sec. 1(f) of the GDPR Regulation (legitimate interest of the controller) The data shall be stored for the period of the existence of a legitimate interest pursued by the Controller; however, no longer than for the period of the statute of limitations for claims against the data subject in respect of the Controller’s business activities. The statute of limitations is determined by law, in particular the Civil Code (the basic statute of limitations for claims related to the conduct of business is three years and for sales agreements – two years). The Controller may not process data for direct marketing purposes if the data subject has raised an effective objection in this respect. |
E-mail address |
Marketing | Article 6, sec. 1(a) of the GDPR Regulation (consent) The data is stored until the data subject withdraws their consent to further processing for this purpose. |
Name, e-mail address |
Keeping tax records | Article 6, sec. 1(c) of the GDPR Regulation in conjunction with Art. 86 § 1 of the Tax Ordinance, consolidated text of 17 January 2017 (Dz. U. /Journal of Laws/ of 2017, item 201) or Art. 74 sec. 2 of the Accounting Act, consolidated text of 30 January 2018 (Dz. U. /Journal of Laws/ of 2018, item 395) The data shall be stored for the period required by the provisions of law requiring the Administrator to keep tax records (until the expiry of the limitation period for tax liabilities, unless tax acts provide otherwise) or accounting records (5 years, counting from the beginning of the year following the financial year to which the data refers). |
First and last name; address of residence/business/office (if different from the delivery address), company name and tax identification number (NIP) of the Service User or Customer |
Determination, pursuit or defence of claims that the Controller may assert or that may be asserted against the Controller | Article 6, sec. 1(f) of the GDPR Regulation The data shall be stored for the period of the existence of a legitimate interest pursued by the Controller; however, no longer than for the period of the statute of limitations for claims against the data subject in respect of the Controller’s business activities. The statute of limitations is determined by law, in particular the Civil Code (the basic statute of limitations for claims related to the conduct of business is three years and for sales agreements – two years). |
Name and surname; contact telephone number; e-mail address; delivery address (street, house number, apartment number, postcode, city/town, country), residential/business/office address (if different from the delivery address).
For Service Users or Customers who are not consumers, the Controller may additionally process the company name and tax identification number (NIP) of the Service User or Customer. |
4. RECIPIENTS OF DATA IN THE ONLINE STORE
4.1. For the proper functioning of the Online Store, including the execution of Sales Agreements concluded, it is necessary for the Controller to use services of external entities (such as a software provider, courier, or payment processor). The Controller shall only use such processors that provide sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of the GDPR Regulation and protects the rights of the data subjects.
4.2. The Controller does not transfer data in every single case and to all recipients or categories of recipients indicated in the privacy policy – the Controller only transfers data if it is necessary for the implementation of a given purpose of personal data processing and solely to the extent necessary for its implementation. For example, if the Customer chooses personal collection, their data will not be transferred to the carrier cooperating with the Controller.
4.3. Personal data of the Service Users and Customers of the Online Store may be transferred to the following recipients or categories of recipients:
carriers/forwarders/courier brokers – in the case of a Customer who uses the online store’s method of Product delivery by mail or courier, the Controller makes the collected personal data of the Customer available to the chosen carrier, forwarder or broker executing the shipment at the Controller’s request to the extent necessary to execute the delivery of the Product to the Customer.
entities processing electronic or credit card payments – in case of a Customer who uses the electronic or credit card payment method in the Online Store, the Controller makes the collected personal data of the Customer available to a selected entity processing the aforementioned payments in the Online Store at the Controller’s request to the extent necessary to process the payment made by the Customer.
service providers supplying the Controller with technical, IT and organisational solutions, which enable the Controller to conduct its business activities, including the Online Store and the Electronic Services provided by means of the Store (in particular, providers of computer software for running the Online Store, e-mail and hosting providers, as well as providers of business management and technical support software for the Controller) – the Controller makes the collected personal data of the Customer available to a selected provider acting on its behalf only in the case and to the extent necessary to implement a given purpose of data processing in accordance with this Privacy Policy.
providers of accounting, legal and advisory services performing accounting, legal or advisory support activities for the Controller (in particular an accounting office, a law firm or a debt collection agency) – the Controller makes the collected personal data of the Customer available to a selected provider acting on its behalf only in the case and to the extent necessary to implement a given purpose of data processing in accordance with this Privacy Policy.
5. PROFILING IN THE ONLINE STORE
5.1. The GDPR Regulation imposes an obligation on the Controller to inform about automated decision-making, including profiling, as referred to in Art. 22 sec. 1 and 4 of the GDPR Regulation, and – at least in these cases – relevant information about the principles on which they are taken, as well as about the significance and the envisaged consequences of such processing for the data subject. With this in mind, the Controller provides information on possible profiling in this section of the privacy policy.
5.2. The Controller can use profiling in the Online Store for direct marketing purposes but decisions made on its basis by the Controller shall not concern the conclusion of or refusal to conclude a Sales Agreement or the possibility of using Electronic Services in the Online Store. The effect of using profiling in the Online Store may be e.g. granting a given person a discount, sending them a discount code, reminding about unfinished shopping, sending a proposal of a Product, which may correspond to interests or preferences of a given person, or offering better conditions in comparison with the standard offer of the Online Store. Despite the profiling, it is up to the person to freely decide whether they wish to take advantage of the discount received in this way or of better conditions and make a purchase from the Online Store.
5.3. Profiling in the Online Store consists in automatic analysis or prediction of a given person’s behaviour on the website of the Online Store, e.g. through adding a particular Product to the shopping cart, browsing the page of a particular Product in the Online Store, or through analysis of the previous history of purchases made in the Online Store. The condition for such profiling is that the Controller must have the personal data of the person in question in order to be able to send them, for example, a discount code.
5.4. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects them.
6. RIGHTS OF DATA SUBJECTS
6.1. Right to access, rectify, restrict the processing or erase data and the right to data portability – the data subject has the right to request the Controller to enable them to access, rectify or erase their personal data (“right to be forgotten”), as well as restrict or object to the processing thereof, and has the right to data portability. Detailed conditions for the exercise of the rights indicated above are specified in Art. 15-21 of the GDPR Regulation.
6.2. Right to withdraw consent at any time – the person whose data are processed by the Controller on the basis of a consent (pursuant to Art. 6 sec. 1(a) or Art. 9 sec. 2(a) of the GDPR Regulation) has the right to withdraw their consent at any time without affecting the lawfulness of the processing carried out on the basis of such consent prior to its withdrawal.
6.3. Right to lodge a complaint to the supervisory authority – the person whose data is processed by the Controller has the right to lodge a complaint with the supervisory authority in the manner and mode specified in the provisions of the GDPR Regulation and Polish law, in particular the Personal Data Protection Act. The supervisory authority in Poland is the President of the Office of Personal Data Protection.
6.4. Right to object – the data subject has the right to object at any time, on grounds relating to their particular situation, to the processing of their personal data pursuant to Art. 6 sec. 1(e) (public interest or tasks) or (f) (legitimate interest of the controller), including profiling under these regulations. In such a case, the Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
6.5. Right to object to direct marketing – where personal data are processed for the purposes of direct marketing, the data subject shall have the right to object at any time to the processing of their personal data for the purposes of such marketing, including profiling, to the extent that the processing is related to such direct marketing.
6.6. In order to exercise the rights referred to in this section of the privacy policy, you can contact the Administrator by sending an appropriate message in writing or by e-mail to the Controller’s address indicated at the beginning of the privacy policy or by using the contact form available at the Online Store website.
7. COOKIES IN THE ONLINE STORE, OPERATIONAL DATA AND ANALYTICS
7.1. Cookies are small pieces of information in the form of text files sent by a website and stored on the device of the person visiting the Online Store (e.g. on the hard drive of a computer, laptop or on the memory card of a smartphone – depending on the device used by the person visiting our Online Store). Detailed information on Cookies as well as the history of their creation can be found, for example, at http://pl.wikipedia.org/wiki/Ciasteczko.
7.2. The Administrator may process the data contained in Cookies when visitors use the website of the Online Store for the following purposes:
identifying the Service Users as logged in to the Online Store and showing that they are logged in;
remembering the Products added to cart in order to place an Order;
remembering data from completed Order Forms, surveys or login data to the Online Store;
adjusting the content of the Online Store’s website to the individual preferences of the Service User (e.g. regarding colours, font size, site layout) and optimising the use of the Online Store websites;
keeping anonymous statistics showing how the Online Store website is used;
remarketing, i.e. studying the behaviour of persons visiting the Online Store through anonymous analysis of their actions (e.g. repeated visits to certain websites, keywords, etc.) to create their profile and provide them with advertisements tailored to their anticipated interests, including when they visit other websites on the Google Inc. advertising network and Facebook Ireland Ltd;
7.3. By default, most web browsers on the market accept the storage of cookies. You can determine the conditions for the use of cookies through the settings of your web browser. This means that you can, for example, partially limit (e.g. temporarily) or completely disable the storage of cookies – in the latter case, however, this may affect some of the features of the Online Store (for example, it may not be possible to monitor the transfer of the Order through the Order Form due to failure to remember the Products added to the cart during the subsequent steps of placing the Order).
7.4. The settings of your Internet browser regarding cookies are important from the point of view of your consent to the use of cookies by our Online Store – according to the regulations, such consent may also be expressed through the settings of your Internet browser. If you do not agree to this, please change your browser’s cookie settings accordingly.
7.5. Detailed information on how to change settings for cookies and how to delete them yourself in the most popular web browsers is available in the help section of your web browser and on the following websites (simply click on the link):
w przeglądarce Internet Explorer
7.6. The Controller may use Google Analytics, Universal Analytics provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). These services help the Administrator analyse the traffic in the Online Store. The data collected is processed within the scope of the above services in an anonymised manner (these are the so-called operational data which prevent the identification of a person) to generate statistics helpful in administering the Online Store. These data are aggregate and anonymous, i.e. they do not contain any identifying characteristics (personal data) of persons visiting the website of the Online Store. When using the above services in the Online Store, the Administrator collects such data as the source and medium of obtaining visitors to the Online Store and the manner of their behaviour on the website of the Online Store, information about the devices and browsers from which they visit the site, IP and domain, geographical data and demographic data (age, gender) as well as interests.
7.7. It is possible to prevent Google Analytics from revealing information about a given person’s activity on the website of the Online Store – to do so, you can install a browser plug-in provided by Google Inc., which is available here: https://tools.google.com/dlpage/gaoptout?hl=pl.
8. FINAL PROVISIONS
8.1. The Online Store may contain links to other websites. After being directed to other websites, the administrator recommends reading the privacy policies of these websites. This privacy policy applies solely to the Administrator’s Online Store.