WHO IS THE ADMINISTRATOR OF THE USER’S PERSONAL DATA?

The administrator of the User’s personal data is Firma Produkcyjno-Handlowa Magdalena i Robert Skałka S.C. NIP: 6811647833, 32-425 Trzemeśnia, ŁĘKI 80

indicated in this document with regard to the data of persons using social media and following the Administrator’s profile on a given social media platform and interacting with the Administrator. The Administrator uses social plugins that direct to individual platforms, through which the User can switch to using a given platform. The rules of joint administration are indicated below for each social media platform on which the Administrator has a profile and processes Personal Data.

IS THE PROVISION OF DATA VOLUNTARY? WHAT ARE THE CONSEQUENCES OF NOT PROVIDING IT?

Providing data is voluntary, however, failure to provide certain information, which is generally marked as mandatory on the Administrator’s websites, will result in the inability to perform a given service and achieve a specific goal or take specific actions.
The provision of non-mandatory data or excess data that the Administrator does not need to process is based on the User’s own decision, and in such cases the processing is carried out on the basis of the premise contained in Article 6(1)(a) of the GDPR (consent). The User grants Consent to the processing of this data and to the anonymisation of data that the Controller does not require and does not wish to process, but which the User has nevertheless provided to the Controller.

FOR WHAT PURPOSES AND ON WHAT LEGAL BASIS DOES THE ADMINISTRATOR PROCESS THE USER’S PERSONAL DATA PROVIDED WHEN USING THE WEBSITE?

The User’s personal data on the Administrator’s Website may be processed for the following purposes and on the following legal basis:

1. Performance of a service or performance of a concluded contract, sending an offer (e.g. advertising) at the User’s request – The data is processed for the duration of the contract/the time necessary to send the offer and the User’s response, and then until the expiry of the limitation period for claims –
   2 years or 6 years from the performance of the contract, depending on whether the User is an entrepreneur.
   Article 6(1)(b) of the GDPR (necessary for the conclusion and/or performance of a contract or to take action at the request of the User)
2. Issuing invoices, bills and fulfilling other obligations under tax law in the case of orders placed in the Online Store or other products and services – data is processed for 5 years from the end of the tax year in which the tax event occurred.
   Article 6(1)(c) of the GDPR (obligation under law)
3. Granting discounts or informing about promotions and interesting offers from the Administrator or entities recommended by him, including sending the Newsletter – data is processed until consent is withdrawn, then for a period of 2 years in the case of persons who have withdrawn their consent or after a period of 6 months of no activity on the part of the recipient in the case of sending the Newsletter.
   Article 6(1)(a) of the GDPR (consent)
   Article 6(1)(f) of the GDPR (legitimate interest of the Administrator)
4. Consideration of complaints or claims related to the contract – data is processed for the duration of the procedure or claim
   1 year from the expiry of the claim or 5 years from the end of the tax year for data stored under tax regulations.
   Article 6(1)(b) of the GDPR (necessary for the conclusion and/or performance of a contract) and Article 6(1)(c) of the GDPR (obligation under the law)
5. Establishing, investigating or defending against claims – data is processed until the basis for processing ceases to exist or until the limitation period for claims expires –
   2 years or 6 years from the performance of the contract, depending on whether the User is an entrepreneur.
   Article 6(1)(f) of the GDPR (legitimate interest of the controller).
6. Telephone contact in matters related to the provision of services, contracts – data is processed for the duration of the contract/the time necessary to send the offer and the User’s response, and then until the expiry of the limitation period for claims
   2 years or 6 years from the performance of the contract, depending on whether the User is an entrepreneur.
   Article 6(1)(b) of the GDPR (necessary for the conclusion and/or performance of a contract)
7. Telephone contact for the purpose of presenting offers and direct marketing – data is processed until consent is withdrawn
   Article 6(1)(a) of the GDPR (consent)
8. Creating records related to the GDPR and other regulations – data is processed until the basis for processing ceases to exist or until it is no longer useful to the Controller.
   Article 6(1)(c) of the GDPR (obligation under the law) and Article 6(1)(f) of the GDPR (legitimate interest of the controller)
9. Archiving for the purposes of securing information that may be used to prove facts – data is processed until an objection is raised or it becomes obsolete for the Controller
   or until the limitation period for claims expires – 2 years or 6 years from the performance of the contract, depending on whether the User is an entrepreneur.
   Article 6(1)(f) of the GDPR (legitimate interest of the controller)
10. Analytical purpose, consisting, among other things, in the analysis of Data collected automatically when using the website, including cookies, e.g. Google Analytics or Meta Piksel cookies – Data is processed until the User deletes cookies from their browser
    Article 6(1)(f) of the GDPR (legitimate interest of the controller)
11. Use of cookies on the Website and its subpages – data is processed until the User deletes cookies from their browser.
    Article 6(1)(a) of the GDPR (consent)
12. Management of the Website and the Administrator’s pages on other platforms – data is processed until an objection is raised or the data becomes useless to the Administrator
    Article 6(1)(f) of the GDPR (legitimate interest of the administrator)
13. Service satisfaction survey – data is processed until an objection is raised or the data becomes obsolete for the Controller.
    Article 6(1)(f) of the GDPR (legitimate interests pursued by the controller)
14. Posting of opinions by the User about the services provided by the Administrator – Data is processed until consent is withdrawn or it becomes useless to the Administrator, unless consent is withdrawn earlier
    Article 6(1)(a) of the GDPR (consent)
15. Internal administrative purposes of the Controller related to managing contact with the User – data is processed until the basis for processing ceases to exist
    or until the limitation period for claims expires – 2 years or 6 years from the performance of the contract, depending on whether the User is an entrepreneur.
    6(1)(f) of the GDPR (legitimate interest of the Administrator)
16. Tailoring the content displayed on the Administrator’s websites to individual needs and continuously improving the quality of the services offered – the data is processed until an objection is raised or the Data becomes useless to the Administrator
    Article 6(1)(f) of the GDPR (legitimate interest of the administrator)
17. Direct marketing directed at the User of products or Services or recommended third parties – data is processed until an objection is raised or the Data becomes useless to the Controller
    Article 6(1)(f) of the GDPR (legitimate interest of the controller)
18. operating a Facebook fan page and interacting with Users – data is processed until consent is withdrawn, an objection is raised, or the data becomes useless to the Controller
    Article 6(1)(f) of the GDPR (legitimate interest of the controller) and Article 6(1)(a) of the GDPR (consent)
19. posting comments by the User – data is processed until consent is withdrawn or it becomes obsolete for the Controller.
    Article 6(1)(a) of the GDPR (consent)
20. posting of opinions by the User – data is processed until consent is withdrawn or it becomes obsolete for the Controller.
    Article 6(1)(a) of the GDPR (consent)

21. conducting recruitment – until the conclusion of the contract or withdrawal of consent.
    No longer than 6 months from the end of recruitment.
    For a maximum period of 1 year (this period is counted from the end of the year in which the Data was obtained)
    Until an objection is lodged.
    for the purpose and for the time necessary to take the steps necessary prior to entering into a contract – Article 6(1)(b) of the GDPR, and up to 6 months after the end of the recruitment process, and in the case of data provided voluntarily by the candidate or excess data – based on Article 6(1)(a) of the GDPR (consent), and Article 9(2)(a) of the GDPR (consent) – in the case of sensitive data provided by the candidate,
    for future recruitment purposes – on the basis of consent given pursuant to Article 6(1)(a) of the GDPR,
    for the purpose and for the period necessary to pursue the legitimate interests pursued by the Controller, e.g. pursuing claims and defending against claims, marketing of own products and services (to the extent that processing is necessary for this purpose) – based on Article 6(1)(f) of the GDPR.

22. Creating own User Databases – data is processed until an objection is raised or the Data becomes useless to the Controller
    Article 6(1)(f) of the GDPR (legitimate interest of the controller)

The provision by the User of Data that is not mandatory or excess data that the Administrator does not need to process is based on the User’s own decision, and in such cases the processing is carried out on the basis of the premise contained in Article 6(1)(a) of the GDPR (consent). The User grants Consent to the processing of such Data and to the anonymisation of Data which the Controller does not require and does not wish to process, but which the User has nevertheless provided to the Controller.

HOW IS DATA COLLECTED?

Only Data provided by the User is collected and processed (except, in certain situations, Data collected automatically using cookies and login details, as described below).
When visiting the website, Data relating to the visit itself is collected automatically, e.g. the User’s IP address, domain name, browser type, operating system type, etc. (login data). Automatically collected Data may be used to analyse User behaviour on the Website, collect demographic data about Users, or personalise the content of the Website in order to improve it. However, this data is processed solely for the purposes of administering the Website, ensuring efficient hosting services, or directing marketing content, and is not associated with the Data of individual Users. This data is generally anonymous and is used for the proper use of the Website. You can read more about cookies later in this Policy.
Data may also be collected for the purpose of completing forms on the Website, as discussed later in this Privacy Policy.

Information society services
The Administrator does not collect Children’s Data. The User must be at least 16 years of age to independently express Consent to the processing of Personal Data for the purpose of providing information society services within the Website, including for marketing purposes, or to obtain the Consent of a legal guardian (e.g. parent) for this purpose.
If the User is under 16 years of age, they should not use the Website and the Service.
The Administrator is entitled to make reasonable efforts to verify whether the User meets the age requirement referred to above, or whether the person exercising parental authority or guardianship over a User under the age of 16 has given or approved their Consent.

WHAT ARE THE USER’S RIGHTS?

The user is entitled at any time to the rights set out in Articles 15-21 of the GDPR, i.e.:
a. the right to access their Data,
b. the right to transfer Data,
c. the right to correct Data,
d. the right to rectify Data,
e. the right to delete Data if there are no grounds for its processing,
f. the right to restrict processing if it has been carried out incorrectly or without legal basis,
g. the right to object to the processing of Data on the basis of the legitimate interest of the controller,
h. the right to lodge a complaint with the supervisory authority – the President of the Personal Data Protection Office (on the terms specified in the Personal Data Protection Act) if they believe that the processing of their data is inconsistent with the currently applicable data protection regulations.
i. the right to be forgotten, if further processing is not provided for by the current legal provisions.
The Controller points out that these rights are not absolute and do not apply to all processing activities involving the User’s Personal Data. This applies, for example, to the right to obtain a copy of the data. This right must not adversely affect the rights and freedoms of others, such as copyright or professional secrecy. For information on the limitations of the User’s rights, please refer to the GDPR.
However, the User always has the right to lodge a complaint with the supervisory authority – the President of the Personal Data Protection Office, ul. Stawki 2, 00-193 Warsaw, tel. 22 531-03-00, e-mail: kancelaria@uodo.gov.pl, if they believe that the processing of personal data violates the provisions of the GDPR or other applicable regulations concerning the processing of personal data.

In order to exercise their rights, Users may contact the Administrator via e-mail at: magdalena.skalka@wp.pl or by post to the address of the Administrator’s place of business, if provided in this Privacy Policy, indicating the scope of their requests. A response will be provided within 30 days of receipt of the request and its justification, unless an extension of this period is justified in accordance with the GDPR.

CAN THE USER WITHDRAW THEIR CONSENT?

If the User has given their Consent to a specific action, such Consent may be withdrawn at any time, which will result in the removal of the e-mail address from the Administrator’s mailing list and the cessation of the indicated actions (in the case of registration based on Consent). The User may withdraw their Consent by clicking on the ‘unsubscribe’ link or similar in the Newsletter, after which the User will be redirected to a page where they will be asked to confirm the withdrawal of their Consent. The User may also withdraw their Consent by sending a statement to the Administrator’s e-mail address or to the address of the Administrator’s place of business, if provided in this Privacy Policy. Withdrawal of consent does not affect the processing of data that was carried out on the basis of consent before its withdrawal. In some cases, the Data may not be completely deleted and will be retained for the purpose of defending against possible claims for a period of time consistent with the provisions of the Civil Code or, for example, for the purpose of fulfilling legal obligations imposed on the Administrator.
In each case, the Administrator will respond to the User’s request, providing appropriate justification for further actions resulting from legal obligations.

DOES THE ADMINISTRATOR TRANSFER USER DATA TO THIRD COUNTRIES?

User data is not transferred to third countries.

Due to the fact that the Administrator uses external providers of various services, e.g. Meta Platforms Ireland Limited (Facebook and subsidiaries) or Google, Microsoft, etc., User Data may be transferred to the United States of America (USA) in connection with its storage on American servers (in whole or in part). In the case of Meta Platforms and Google, data transfer to the USA is based on:

a. The European Commission’s decision of 10 July 2023, confirming the adequate level of data protection under the EU-U.S. Data Privacy Framework, issued pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
b. Standard contractual clauses (SCCs) approved by the European Commission.
c. Additional safeguards applied by service providers (e.g. encryption, anonymisation).
In other cases, Users’ Personal Data will only be transferred to recipients who guarantee the highest level of protection and security of the Data, including through:
a) cooperation with entities processing Personal Data in countries for which a relevant decision has been issued by the European Commission,
b) using standard contractual clauses issued by the European Commission,
c) applying binding corporate rules approved by the competent supervisory authority,
or to those to whom the User has given their consent to transfer Personal Data.
Detailed information is available in the privacy policies of each of these service providers, available on their websites. For example:
Google Ireland Limited: https://policies.google.com/privacy?hl=pl
Meta Platforms Ireland Limited: https://www.facebook.com/privacy/explanation

HOW LONG DOES THE ADMINISTRATOR STORE USER DATA?

User Data will be stored by the Administrator for the duration of the provision of individual services/achievement of the objectives indicated in the table above, and:
a) for the duration of the service provision and cooperation, as well as for the limitation period for claims in accordance with the provisions of law – with regard to Data provided by contractors, customers or Users,
b) for the duration of discussions and negotiations preceding the conclusion of a contract or the performance of a service – with regard to Data provided in a request for quotation,
c) for the period required by law, including tax law – with regard to Personal Data related to the fulfilment of obligations under applicable regulations,
d) until an effective objection is lodged on the basis of Article 21 of the GDPR – with regard to Personal Data processed on the basis of the legitimate interest of the controller, including for direct marketing purposes,
e) until the Consent is withdrawn or the purpose of processing or business objective is achieved — with regard to Personal Data processed on the basis of Consent. After withdrawal of Consent, the Data may still be processed for the purpose of defending against possible claims in accordance with the limitation period for such claims or the (shorter) period indicated to the User,
f) until it becomes outdated or loses its usefulness – with regard to Personal Data processed mainly for analytical and statistical purposes, the use of cookies and the administration of the Administrator’s Websites,
g) for a maximum period of 2 years in the case of persons who have unsubscribed from the Newsletter in order to defend against possible claims (e.g. information about the date of subscription and the date of unsubscribing from the Newsletter, the number of Newsletters received, actions taken and activities related to the messages received), or after a period of 6 months of no activity by a given subscriber, e.g. not opening any messages from the Administrator. The Data storage periods indicated in years are calculated at the end of each year in which the processing of the Data commenced. This is to streamline the process of processing and managing the Data.
Detailed periods of personal data processing, relating to specific processing activities, are included in the Administrator’s processing activity register.

LINKS TO OTHER WEBSITES

The Website may contain links to other websites. These links will open in a new browser window or in the same window. The Administrator is not responsible for the content provided by these websites. The User is obliged to read the privacy policy or terms and conditions of these websites.

DATA SECURITY

The User’s personal data is stored and protected with due diligence, in accordance with the Administrator’s internal procedures. The Administrator processes information about the User using appropriate technical and organisational measures that meet the requirements of generally applicable law, in particular the provisions of the Personal Data Protection Act and the GDPR. These measures are primarily aimed at protecting Users’ Personal Data from unauthorised access.
In particular, access to Users’ Personal Data is restricted to authorised persons who are obliged to keep such Data confidential, or to entities entrusted with the processing of Personal Data on the basis of a separate Data processing agreement.
At the same time, the User should exercise due diligence in securing their Personal Data transmitted over the Internet, in particular by not disclosing their login details to third parties, using anti-virus protection and updating their software.

WHO CAN BE THE RECIPIENTS OF PERSONAL DATA?

The Administrator informs that it uses the services of external entities. The entities to which it entrusts the processing of Personal Data (such as courier companies, electronic payment intermediaries, accounting services companies, companies enabling the sending of newsletters) guarantee the use of appropriate measures to protect and secure Personal Data as required by law, in particular by the GDPR.
The Administrator informs the User that it entrusts the processing of Personal Data to, among others, the following entities:
1. ____________________________ – for the purpose of storing Personal Data on a server,
2. _______________________________ – for creating landing pages and collecting leads,
3. __________________________________ – for the purpose of issuing accounting documents,

4. other contractors or subcontractors involved in technical or administrative support, or in providing legal assistance to the Administrator and its customers, e.g. accounting, HR, IT, graphic design, copywriting, debt collection companies, lawyers, etc.
Personal data may also be made available to other recipients, including authorities, e.g. the tax office, for the purpose of fulfilling legal and tax obligations related to settlements and accounting.
Entities that process Personal Data, such as the Administrator, ensure compliance with European standards for the protection of Personal Data, including standards set by legal acts and decisions of the European Commission, and apply compliance mechanisms also when transferring Data outside the EEA (European Economic Area), including in the form of standard contractual clauses adopted by the European Commission by Decision 2021/915 of 4 June 2021 on standard contractual clauses between controllers and processors pursuant to Article 28(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council (EU) 2016/679 and Article 29(7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council https://eur-lex.europa.eu/legal-content/PL/TXT/PDF/?uri=CELEX:32021D0915&from=PL

HAS THE CONTROLLER APPOINTED A DATA PROTECTION OFFICER?

The Personal Data Administrator hereby informs that it has not appointed a Data Protection Officer (DPO) and performs its duties related to the processing of Personal Data independently.
The User acknowledges that their Personal Data may be transferred to authorised state authorities in connection with proceedings conducted by them, at their request and after fulfilling the conditions confirming the necessity of obtaining such Data from the Administrator.

DOES THE ADMINISTRATOR PROFILE USER DATA?

The User’s personal data will not be used for automated decision-making affecting the User’s rights, obligations or freedoms within the meaning of the GDPR.
Within the Website and tracking technologies, the User’s Data may be profiled, which helps to better personalise the Administrator’s offer to the User (mainly through so-called behavioural advertising). However, this should not have any impact on the User’s legal situation, in particular on the terms and conditions of contracts concluded by them or contracts they intend to conclude. It can only help to better tailor the content and targeted advertising to the User’s interests. The information used is anonymous and is not associated with the personal data provided by the User, e.g. during the purchase process. It is derived from statistical data such as gender, age, interests, approximate location, and behaviour on the Website.
Every User has the right to object to profiling if it would have a negative impact on the User’s rights and obligations.
More about behavioural advertising here: https://www.youronlinechoices.com/pl/o-reklamie-behawioralnej