The owner of the Online Store and Website, and, at the same time, the Data Controller, is Laboratorium Kosmetyczne FLOSLEK Furmanek Sp. j. with its registered office in Piaseczno (05-500), ul. Geodetów 154, entered into the Register of Entrepreneurs of the National Court Register kept by the District Court for the capital city of Warsaw in Warsaw, 14th Commercial Division of the National Court Register under KRS number 0000105842, NIP (tax ID): 9510023298, REGON: 010440910, hereinafter referred to as the “Controller”.
Personal data collected by the Controller via the Online Store and the Website shall be processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), also referred to as the GDPR. In order to fulfil the provisions of the aforementioned Directive, the Controller has appointed a Personal Data Protection Officer.
The Controller shall make every effort to respect the privacy of the users visiting the Online Store and the Website.
1. TYPE OF DATA PROCESSED, PURPOSES AND LEGAL BASIS
1.1 The Controller collects information concerning individuals who are users of the Website and of the Online Store, including information concerning customers (who are individuals) and information concerning individuals who represent legal persons or organisational units not being individuals and who are granted legal capacity under the law, conducting business or professional activity on their own behalf, being customers, newsletter subscribers, and those sending enquiries to the Controller, or reporting adverse effects.
1.2. The users’ personal data shall be collected and processed in the following cases and for the purposes indicated below:
• account registration in the Online Store, for the purpose of creating and managing an individual account. Legal basis: necessary for execution of the contract for the provision of the Account service (Article 6(1)(b) of the GDPR);
• placing an order in the Online Store, for the purpose of execution of the sales contract. Legal basis: necessary for execution of the sales contract (Article 6(1)(b) of the GDPR);
• filing a complaint, for the purpose of handling complaint processes. Legal basis: the Controller’s obligation under the provisions of the Civil Code on statutory warranty for defects in sold items (Article 6(1)(c) of the GDPR in connection with the provisions of the Polish Civil Code);
• for the purpose of communication in matters related to the performance of services provided via the Online Store. Legal basis: necessary for pursuing purposes arising from the legitimate interests of the Controller (Article 6(1)(f) of the GDPR);
• for the purpose of complying with the Controller’s legal obligations (e.g. issuing an invoice) – in such a case, the basis for processing is Article 6(1)(c) of the GDPR in connection with specific provisions of law, e.g. provisions of the VAT Act stipulating the obligation to issue an invoice;
• for the purpose of own services’ marketing, e.g. sending direct personalised marketing messages to users via the Store’s Website, e.g. in the form of suggestions to purchase goods with the use of profiling, i.e. based on previous purchases made by the user. Legal basis: legitimate interest of the Controller (Article 6(1)(f) of the GDPR);
• subscription to the newsletter, for the purpose of sending the newsletter. Legal basis: consent of the data subject expressed by subscribing to the newsletter (Article 6(1)(a) of the GDPR);
• using the contact form, for the purpose of replying to a sent message. The legal basis is the execution of a contract or taking action prior to the conclusion of a contract at the request of the data subject (Article 6(1)(b) of the GDPR), or consent, in a situation where the user contacts the Controller for any purpose other than that connected with the contract, then, by sending the contact form, the user consents to the processing of personal data contained therein for the purpose of replying to the sent message (Article 6(1)(a) of the GDPR);
• where the user is not acting on their own behalf, but as a representative of the Client, the user’s personal data is processed for the purpose of providing the specific service/other activity, as referred to above, to the Client. Legal basis: legitimate interest of the Controller (Article 6(1)(f) of the GDPR);
• necessary for verification, fulfilment of the obligations imposed on the Controller by the relevant provisions of law (Regulation 1223/2009), preparing responses to the Adverse Effects Notification submitted to the Controller using the form.
1.3. If a user subscribes to the newsletter, the Controller shall send electronic messages to their e-mail address containing commercial information about promotional campaigns and new products available in the Online Store.
1.4. Personal data may be processed in an automated manner, including in the form of profiling, which shall involve possibly suggesting products best tailored to users (e.g. based on previous purchases). Personal data shall not be processed for the purpose of automated decision-making.
1.5. As a rule, the Controller shall process personal data received directly from the users of the Website or of the Online Store. An exception shall be when the Controller receives data from a person who is not the Client, precisely from the Client – this will happen when the Client provides personal data of a third party, name, surname, address and telephone number, as data appropriate for shipment “to a different address”. Then the Controller shall process such personal data on the basis of the Controller’s legitimate interest – for the purpose of executing the contract with the Client (Article 6(1)(f) of the GDPR).
1.6. When using the Website or the Online Store, additional information may be collected, in particular the IP address assigned to the user’s computer or the external IP address of the Internet provider, domain name, browser type, access time, and operating system type.
1.7. The Controller also processes the personal data of users visiting the Controller’s social media profiles (Facebook, YouTube, Instagram). The data is processed exclusively in connection with running the profile, in order to inform the users about the Controller’s activities and to promote various events, services and products, as well as to communicate with users through the functionalities available via social media. The legal basis for the processing of personal data by the Controller for this purpose is its legitimate interest (Article 6(6)(f) of the GDPR) consisting of promoting its own brand and building and maintaining a community associated with the brand.
1.8. The Controller also collects data of other persons, such as Employees.
1.9. Navigational data may also be collected from users, including information about the links and hyperlinks the users choose to click or other actions they take in our Online Store. Legal basis - legitimate interest (Article 6(1)(f) of the GDPR), consisting of facilitating the use of services provided electronically and improving the functionality of these services.
1.10. For the purpose of establishing, asserting and enforcing claims, certain personal data provided by the user as part of using the functionalities of the Online Store may be processed, such as name, surname, data on the use of services if the claims arise from the manner the user uses the services, other data necessary to prove the existence of the claim, including the extent of the damage suffered. Legal basis - legitimate interest (Article 6(1)(f) of the GDPR), consisting of the establishment, assertion and enforcement of claims and defence against claims in proceedings before the courts and other state authorities.
1.11. Providing personal data to the Controller is voluntary; however, refusal to provide such data may result in the impossibility of using services or functionalities of the Online Store, e.g.:
• providing data marked as obligatory on the order form is necessary to place an order (this includes data necessary to conclude and execute the contract, including delivery of purchased products, e.g. telephone number is necessary for delivery by courier);
• providing data marked as obligatory on the user account registration form is necessary to create the account;
• providing data marked as obligatory on the contact form is necessary to use this form of contact;
• providing an e-mail address is necessary to subscribe to the newsletter;
• providing personal data is necessary to lodge a complaint for consideration;
• providing personal data is necessary to exercise the right to withdraw from the contract;
• providing personal data is necessary to register an Adverse Effect Notification.
2. To whom is the data disclosed or outsourced and how long is it retained?
2.1. The user’s personal data shall be transferred to the service providers used by the Controller in the course of operating the Online Store. Service providers to whom personal data is transferred, depending on contractual arrangements and circumstances, are either subject to instructions from the Controller as to the purposes and means of processing such data (processors) or determine the purposes and means of processing themselves (controllers).
• Processors: The Controller uses service providers who process personal data only on the instructions of the Controller. These include, among others, the provider of the platform on which the Online Store operates, providers of programming and administration services, providers of hosting services, accounting services, providers of marketing and e-mail marketing systems, providers of newsletter systems, providers of systems for analysing traffic in the Online Store and systems for analysing the effectiveness of marketing campaigns.
• Controllers: The controller uses service providers who do not act solely on instructions and who determine the purposes and manners of using customers’ personal data themselves. They provide courier services, electronic payment services and banking services.
2.2. In the event of making a purchase in the Online Store, personal data may be transferred to a courier company for the purpose of delivering the ordered goods.
2.3. In the case where the Client chooses to make a payment through the imoje.pl system, their personal data is transferred to the extent necessary for the execution of payment to ING Bank Śląski S.A. in connection with:
• the Bank providing the Online Store with the service of making available the infrastructure for handling payments via the Internet (legal basis: Article 6(1)(f) of the Regulation).
• the Bank handling and settling payments made by the Clients of the Online Store by means of payment instruments (legal basis: Article 6(1)(f) of the Regulation).
• verifying the proper execution of contracts concluded with the Online Store, in particular to ensure the protection of payers’ interests in connection with with the complaints they submit (legal basis: Article 6(1)(f) of the Regulation).
2.4 Should the Client choose the Twisto deferred payment service, their personal data shall be transferred to the extent necessary for providing this service to Twisto Polska sp. z o.o. Personal data shall be processed for the purpose of transferring the Client’s personal data to Twisto Poland Sp. z o.o. in connection with the possibility of proposing making payment for the purchased goods or services by Twisto Poland Sp. z o.o. under a contract of mandate including the “Buy with Twisto” purchasing formula and making that purchasing formula available through the Online Store, as well as for the purpose of Twisto Poland Sp. z o.o. verifying the proper execution of such contracts of mandate (legal basis: Article 6(1)(f) of the Regulation).
• In the event that you are providing your personal data for the purpose of transferring your personal data to Twisto Polska sp. z o.o. before concluding a contract of sale of goods (or service) purchased in the Online Store, transferring this data is a condition for concluding a sales contract in connection with a business model of conducting activity adopted by the Online Store.
• In the case of transferring the Client’s personal data to the Bank in connection with the handling and settlement of payments made by the Client to the Online Store via the Internet using payment instruments, provision of data is required to execute the payment and transfer the confirmation of its execution by the Bank to the Online Store.
• If the Client’s personal data is provided to the Bank for the purpose of
the Bank verifying the proper execution of contracts concluded with the Online Store, in
particular, to ensure the protection of the payers’ interests in connection with their complaints, the provision of such data is required to enable the execution of the contract concluded between the Online Store and the Bank.
• In case of transferring Client’s personal data to Twisto Polska sp. z o.o. in
connection with the possibility of proposing options to the Client for making payment for the purchased goods or services by Twisto Poland Sp. z o.o. under a contract of mandate including the “Buy with Twisto” purchasing formula and making that purchasing formula available through the Online Store, providing such data and its processing for that purpose is required in connection with the business model adopted by the Online Store and in order to execute the contract concluded between the Online Store and Twisto Polska Sp. z o.o.
2.5. If the Controller uses processors from outside the EEA, it shall select processors from countries for which the European Commission has concluded that they provide an adequate level of protection or, in the case of processors from other countries, it shall implement legal mechanisms in advance ensuring adequate safeguards, such as standard contractual clauses approved by the Commission. Detailed information about transfers of Personal Data to third countries, the safeguards applied, as well as a copy of such safeguards can be obtained by contacting the Controller using the contact details provided in this clause.
2.6. Personal data shall be stored for the period of the service provision and after its termination – for the period necessary to establish, assert or defend claims and perform legal obligations incumbent on the Controller (e.g. issuing and storing the invoice), in accordance with the provisions of law.
2.7. In the case of data processing on the basis of the granted consent, the Controller shall cease processing the data for the purpose indicated in the content of the consent immediately after its withdrawal.
2.8. If the data is processed only for the purpose of answering the sent correspondence, the data shall be deleted (together with the e-mail correspondence/message sent via the contact form) after 12 months have passed from the question receiving an answer/last contact.
2.9. Navigation data may be used to provide users with better service, to analyse statistical data and to adapt the Online Store to users’ preferences, as well as for administration of the Online Store.
3. Cookie mechanism, IP address
3.1. The Online Store and Website use small files called cookies. These are saved on the end device of the person visiting the Online Store or the Website, if allowed by their Internet browser. A cookie typically contains the name of the domain from which it originated, its “expiration time” and an individual, random number which identifies the cookie. Information collected by means of this type of file helps to adjust the offered products to individual preferences and the real needs of persons visiting the Online Store or the Website. They also provide the ability to compile general statistics about visits to the Online Store or the Website.
3.2. The Controller uses two types of cookies:
• session cookies: once the browser session ends or the computer is switched off, the stored information is deleted from the device memory. The mechanism of session cookies does not allow collection of any personal data or any confidential information from a user’s computer;
• permanent cookies: stored in the memory of the user’s end device and which remain there until deleted or until their expiry. The mechanism of permanent cookies does not allow collection of any personal data or any confidential information from a user’s computer.
3.3. The Controller uses own cookies for the purpose of:
• authentication of the user in the Online Store and ensuring a user session in the Online Store (after logging in), thanks to which the user does not have to re-enter the login and password on each subpage of the Online Store;
• analysing, checking and auditing viewing, and, in particular, creating anonymous statistics which help with understanding how the users use the Website and the Online Store which allows for improvement of their structure and content.
3.4. The Controller uses external cookies for the purpose of:
• popularisation of the Online Store and the Website by means of the social networking site facebook.com (external cookies administrator: Facebook, Inc. with its registered office in the USA or Facebook Ireland with its registered office in Ireland);
• collecting general and anonymous static data via the Google Analytics tools (external cookies administrator: Google LLC with its registered office in the USA).
3.5. The cookie mechanism is safe for the computers of the Online Store and Website users. It is not possible for viruses or other unwanted software or malware to enter users’ computers via this route. Nevertheless, users have the possibility to limit or disable the access of cookies to computers through their browser settings. In such cases, the use of the Online Store and the Website shall be possible; however, there will be limitations to functions which require cookies.
3.6. The Client can, by modifying the settings of their Internet browser, change the settings for saving cookies.
3.7. The Controller may collect Clients’ IP addresses. An IP address is a number assigned by the Internet service provider to the computer of a person visiting the Online Store or the Website. The IP address number allows access to the Internet. In most cases, it is assigned to a computer dynamically, i.e., it changes with each Internet connection and for this reason it is commonly treated as non-personally identifiable information. The IP address is used by the Controller for diagnosing server technical problems, creating statistical analyses (e.g. determining which regions generate the highest number of visits), as information useful for administration and improvement of the Online Store and the Website, as well as for security purposes and possible identification of server-overloading, unwanted automatic software for browsing the contents of the Online Store and the Website.
3.8. The Online Store and the Website contain links and hyperlinks to other websites. The Store Owner shall not be responsible for the principles of privacy protection applicable on other such websites.
4. Rights of data subjects
4.1. Under the current legislation, the data subject has the right to:
• access information about the personal data processed by the Controller, i.e. the right to access the data and the right to obtain a copy of the stored data;
• personal data rectification, in case the data is incorrect or incomplete;
• erasure of personal data (“the right to be forgotten”), in particular when data is unlawfully stored or is no longer necessary for the purposes for which it was collected;
• restrict the processing of personal data, in particular, if the data is inaccurate, processed unlawfully or is no longer necessary for the purposes of the processing, and the data subject raised an objection to the processing of such data;
• personal data portability - if the processing is based on a contract or on the basis of consent, the processing is carried out by automated means;
• lodge a complaint with the supervisory body - the President of the Office for Personal Data Protection.
4.2. If the user has given consent to certain processing activities, they have the right to withdraw their consent at any time. Withdrawing the consent shall not affect the lawfulness of the processing which was performed on the basis of the expressed consent before its withdrawal.
4.4. Unsubscribing from the newsletter can be done by clicking on the link in the newsletter message or by sending a request to firstname.lastname@example.org
5. 5. Security management – password
5.1. The Controller shall provide users with a secure and encrypted connection when transferring personal data and when logging in to the Online Store. The Controller uses an SSL certificate issued by one of the world’s leading companies in the field of security and the encryption of data transmitted over the Internet.
5.2. If the Client with an account in the Online Store, has in any manner lost the access password, the Online Store allows a new password to be generated. The Controller does not send password reminders. The password shall be stored in an encrypted form in such a manner that it cannot be read. In order to generate a new password, the user must provide the e-mail address in the form available under the “Forgot your password?” link, provided while logging in to the Online Store account. The Client shall receive an e-mail message to the e-mail address provided during registration or saved in the last update of the account profile, containing a redirection to a dedicated form made available on the Online Store website, where the Client shall be able to set a new password.
5.3. The Controller shall never send any correspondence, including electronic correspondence, asking for login data, especially the password to the Client’s account.
6.3. Last updated: 01/01/2021.