- The controller of personal data collected via the Online Shop is the limited liability company NATURAL ELEMENT SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ with its registered office in Warsaw (registered office address and service address: ul. Biały Kamień 2/10, 02-593 Warszawa), entered in the Register of Entrepreneurs of the National Court Register under number KRS 0000578938; the registry court, where the files are kept for the company: District Court for the capital city of Warsaw in Warsaw, XIII Commercial Division of the National Court Register; share capital: PLN 105 000; NIP: 5223039987; REGON: 362666425, e-mail: firstname.lastname@example.org -hereinafter referred to as the Controller and this company is concurrently the Service Provider of the Online Shop services and the Seller.
- Personal data is processed by the Controller at the Online Shop in accordance with Regulation (EU) no. 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (general data protection regulation) (hereinafter the “GDPR”). Official text of the RODO is available at: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679
- The Controller will exercise due care in order to protect the interests of data subjects, whose data is processed by the Controller, and specifically the Controller is responsible for, and shall ensure that, the data collected: (1) is processed in accordance with the law; (2) is collected for identified legitimate purposes and not processed further contrary to these purposes; (3) is correct and relevant in relation to the purposes for which they are processed; (4) is stored in a form, which permits identification of data subjects no longer than it is necessary to achieve the purpose of the processing and (5) processed in such a way as to ensure adequate security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage by using relevant technical or organizational measures.
- Taking into account the nature, extent, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the Controller has implemented appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR. These measures shall be reviewed and updated where necessary Technical measures are made available by the Controller to prevent unauthorised capture and modification of the personal data sent electronically.
- GROUNDS FOR THE PROCESSING OF DATA
- The Controller is authorised to process the personal data if, and to the extent that, at least one of the following conditions is met: (1) the data subject consented to the processing of their personal data for one or more specific purposes; (2) the processing is necessary to perform a contract to which the data subject is a party or to take actions on request of the data subject before the contract is concluded; (3) the processing is necessary to fulfil a legal obligation resting on the Controller; or (4) the processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such legitimate interests are overridden by the fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
- PURPOSE, BASIS, PERIOD AND EXTENT OF THE PROCESSING OF DATA IN THE ONLINE SHOP
- The purpose, basis, period and extent, and recipients of the personal data processed by the Controller are each time the outcome of actions taken by the User or the Customer in the Online Shop. For example, if the Customer shopped at the Online Shop and opted for personal pick up instead of messenger service for a Product purchased, their personal data will be processed with a view to perform the so concluded Contract of Sale, but they will not be made available to the carrier, which handles deliveries on behalf of the Controller.
- The Controller can process personal data at the Online Shop for the following purposes, on the following basis, in the following periods and extent:
Purpose for the processing of data
Legal basis for the processing and data retention period
Extent of data processed
The performance of the Contract of Sale or the contract for the provision of Electronic Services or taking action at the request of the data subject prior to the conclusion of the said contracts
Article 6(1)(b) of the GDPR (performance of a contract)
The data is retained for the period necessary for the contract to be performed, terminated or otherwise expire.
Maximum extent: name and surname; e-mail address; contact phone number; delivery address (street, house number, unit number, postcode, city/town, country), residential/business/registered office address (if different from delivery address).
For non-consumer Users or Customers, the Controller can also process the company name and tax identification number (NIP) of the user or the Customer.
For personal pick up, the specified maximum extent does not include the delivery address.
Article 6(1)(f) of the GDPR (legitimate interests of the controller)
The data shall be kept for the period of time that legitimate interests of the Controller exist, no longer however than for the limitation period of claims in relation to the data subject in respect of Controller’s economic activities. The limitation period is determined by the provisions of law, in particular the civil code (the basic limitation period for claims relating to economic activity is three years and two years for a contract of sale).
The Controller may not process data for direct marketing purposes if the data subject effectively objected to the same.
Article 6(1)(a) of the GDPR (consent)
The data is retained until the consent for further processing for the said purpose is withdrawn by the data subject.
Name, e-mail address
Tax or accounting records
Article 6(1)(c) of the GDPR in conjunction with article 86 § 1 of the Tax Code, consolidated text of 17 January 2017 (Dz.U. (journal of laws) of 2017 item 201) or article 74(2) of the Accounting Act, consolidated text of 30 January 2018 (Dz.U. of 2018 item 395)
The data shall be retained for the period required by law under which the Controller is bound to retain tax records (until the lapse of the limitation period for tax liabilities, unless the tax law provides otherwise) or accounting records (5 years from the beginning of the year following the year that the data concerns).
Name and surname; residential/business/registered office address (if different from the delivery address), company name and taxpayer identification number (NIP) of the User or the Customer.
Establishment, exercise or defence of legal claims as may be sought by or against the Controller
Article 6(1)(f) of the GDPR
The data shall be kept for the period that legitimate interests of the Controller exist, no longer however than for the limitation period of claims in relation to data subject in respect of Controller’s economic activities. The limitation period is determined by the provisions of law, in particular the civil code (the basic limitation period for claims relating to economic activity is three years and two years for a contract of sale).
Name and surname; contact phone number; e-mail address; delivery address (street, house number, unit number, postcode, city/town, country), residential/business/registered office address (if different from the delivery address).
For non-consumer Users or Customers, the Controller can also process the company name and tax identification number (NIP) of the user or the Customer.
- DATA RECIPIENTS IN THE ONLINE SHOP
- For the proper operation of the Online Shop, this is to include handling of Contracts of Sale it is necessary for the Controller to use services of third-party providers (such as software vendors, couriers or payment processing operator). The Controller uses only the services of such third-party processors which ensure sufficient guarantees of implementing relevant technical and organizational measures so that processing meets the requirements of the GDPR and protects the rights of the data subject.
- Personal data of Users and Customers of the Online Shop may be transferred to the following recipients or categories of recipients:
- Carriers / forwarders / courier brokers - when the Customer uses the postal service or messenger delivery method for the Product in the Online Shop, the Controller will forward the collected personal data of the Customer to the selected carrier, forwarder or agent, which handles deliveries on behalf of the Controller, to the extent as it is necessary for the completion of Product delivery to the Customer.
- Electronic or car payment processing operators - when the Customer uses the electronic or card payment method in the Online Shop, the Controller will forward the collected personal data of the Customer to the selected operator, which processes such payments for the Online Shop as instructed by the Controller, to the extent as it is necessary for the processing of payment effected by the Customer.
- Lenders / lessors - when the Customer uses the instalment or lease payment method in the Online Shop, the Controller will forward the collected personal data of the Customer to the selected lender or lessor, which processes such payments for the Online Shop on behalf of the Controller, to the extent as it is necessary for the processing of payment effected by the Customer.
- PROFILING IN THE ONLINE SHOP
- The Controller may use profiling in the Online Shop for direct marketing purposes but the decisions made on this basis by the Controller are not related to the conclusion or refusal to conclude a Contract of Sale or the ability to use the Electronic Services in the Online Shop. The use of profiling by the Online Shop may result e.g. in the granting of discount to a specific person, sending a discount code, reminding about unfinished purchases, sending a Product suggestion that could fit the interest or preference of the specific person or offering better terms as compared to the standard offer of the Online Shop. Irrespective of profiling, a specific person freely decides whether to use the discount or better terms, and whether to make a purchase at the Online Shop.
- The Online Shop profiling entails automatic analysis or forecasting of specific person behaviour at the Online Shop, e.g. by adding a specific Product to the basket, viewing a page of a specific Product at the Online Shop, or analysis of the history of purchases made at the Online Shop. This profiling requires the Controller to have personal data of such specific person to order to be to send, e.g. a discount code, to such person.
- Data subject will have the right not to be subject to a decision evaluating personal aspects relating to them which is based solely on automated processing, including profiling, which produces legal effects concerning data subject or similarly significantly affects them.
- RIGHTS OF DATA SUBJECT
- Right to access, rectification, restriction of processing, erasure or right to data portability - the data subject has the right to obtain form the Controller access to their personal data, to have their data rectified, erased (“right to be forgotten”) or their processing restricted, or has the right to object to the processing, and also the right to data portability. Detailed terms and conditions for exercising the aforementioned rights are stipulated in articles 15-21 of the GDPR.
- Right to withdraw consent at any time – the data subject, whose data is processed by the Controller on the basis of a granted consent (in accordance with article 6(1)(a) or article 9(2)(a) of the GDPR), has the right to withdraw the consent at any time without affecting the lawfulness of the processing based on consent before its withdrawal.
- Right to lodge a complaint with a supervisory authority – the data subject, whose data is processed by the Controller, has the right to lodge a complaint with the supervisory authority in the manner and in accordance with the procedure defined in the GDPR and in the provisions of the Polish law, in particular the Personal Data Protection Act. The regulatory body in Poland is the President of the Personal Data Protection Authority.
- Right to object - the data subject has the right to object to the processing of their personal data based on article 6(1)(e) (public interest or tasks) or (f) (the Controller's legitimate interest), including the profiling based on these regulations, at any time on grounds relating to their particular situation. In this case the Controller will be no longer allowed to process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interest, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
- Right to object to direct marketing - if personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of their personal data for such marketing, which includes profiling, to the extent that it is related to such direct marketing.
- COOKIES IN THE ONLINE SHOP, OPERATIONAL DATA AND ANALYTICS
- Cookies are small items of text information in the form of text files. They are sent by the server and saved on the machine of the visitor to the Online Shop (for example, on your computer’s or laptop hard drive, or on smartphone’s memory card, depending on what device is used by the visitor of our Online Shop). For more details on Cookies and a bit of history see: https://en.wikipedia.org/wiki/HTTP_cookie..
- When a visitor uses the Online Shop, the Controller can process data contained in Cookies for the following purposes:
- to identify the Users as being logged in to the Online Shop and show that they are logged in;
- to remember the Products added to the basket to be ordered;
- to remember data filled in in an Order Form, survey or the Online Shop login information;
- to customize the content of the Online Shop to preferences of the user (e.g. colour, font size, page layout) and optimize the use of pages in the Online Shop;
- to make anonymous statistics on how the Online Shop is used;
- to perform remarketing, which is the survey of behaviour of visitors to the Online Shop by an anonymous assessment of their activity (e.g. repeated visits to specific websites, keywords, etc.) to create their profile and provide them with advertising tailored to their expected interest, also when they visit other websites within the advertising network of Google Inc. and Facebook Ireland Ltd;
- Most web browsers available in the market accepts Cookies by default. Anyone may set the Cookies use conditions in the web browser settings. This means that the User can for example, partially limit (e.g. temporarily) or completely disable the saving of Cookies. In the latter case, however, this may affect some functionalities of the Online Shop (for example, it may be impossible to follow the entire ordering procedure through the Order Form as the Products will not be saved in the basket during the ordering steps).
- in Chrome
- in Firefox
- in Internet Explorer
- in Opera
- in Safari
- in Microsoft Edge
- The Controller may use Google Analytics and Universal Analytics provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) at the Online Shop. These services help the Controller in analysing Online Shop traffic. The data collected are processed through these services as anonymised data (this is so called operational data through which data subject may not be identified) to generate statistics to assist in the administration of the Online Shop. This data is anonymous pooled data, i.e. they do not contain any properties that identify visitors (personal data) of the Online Shop. The Controller collects data such as source and media of Online Shop visitors, behaviours of visitors during their visit in the Online Shop, information about devices and browsers from which visitors access the Online Shop, IP address and domain, location and demographic details (age, sex), and interests.
- It is possible for the visitor to easily block information concerning their activity in the Online Shop that are provided to Google Analytics. For this purpose, a plug-in can be installed for the browser. Such plug-in is available from Google Inc. at https://tools.google.com/dlpage/gaoptout