PRIVACY POLICY OF EASYKLIMA.COM
TABLE OF CONTENTS:
- GENERAL PROVISIONS
- GROUNDS FOR DATA PROCESSING
- PURPOSE, BASIS AND DURATION OF PROCESSING ON THE WEBSITE
- DATA RECIPIENTS ON THE WEBSITE
- PROFILING ON THE WEBSITE
- RIGHTS OF THE DATA SUBJECT
- WEBSITE COOKIES AND ANALYTICS
- FINAL PROVISIONS
1. GENERAL PROVISIONS
1.3. Personal data on the Website is processed by the Controller in accordance with the applicable legal provisions, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on protection of natural persons with regard to the processing of personal data and the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) – hereinafter called the “GDPR” or the “GDPR Regulation”. Official text of the GDPR Regulation: http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELEX%3A32016R0679
1.7. All words, phrases and acronyms appearing in this Privacy policy and beginning with a capital letter (e.g. Seller, Website, Electronic service) shall be understood in accordance with their definition contained in the Terms and Conditions of the Website available on the Website.
2. GROUNDS FOR DATA PROCESSING
2.1. The Controller is entitled to process personal data in the cases and to the extent that one or more of the following conditions are met: (1) the data subject has given consent to the processing of his/her personal data for one or more specified purposes; (2) processing is necessary to perform an agreement to which the data subject is party or in order to take steps at the request of the data subject prior to entering into an agreement; (3) processing is necessary for compliance with a legal obligation to which the Controller is subject or (4) processing is necessary for the purposes of legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular where the data subject is a minor.
2.2. Processing of personal data by the Controller shall each time require the existence of at least one of the grounds indicated under point 2.1 of the Privacy policy. Specific grounds for processing the personal data of the Service recipients and Customers of the Website by the Controller are indicated in the next point of the Privacy policy – with reference to a given purpose of personal data processing by the Controller.
3. PURPOSE, BASIS AND DURATION OF PROCESSING ON THE WEBSITE
3.1. In each case, the purpose, basis and duration and recipients of the personal data processed by the Controller result from the activities undertaken by the respective Service recipient or Customer on the Website or by the Controller.
3.2. The Controller may process personal data within the Website for the following purposes, on the grounds and for the periods indicated in the table below:
Purpose of data processing | Legal basis for processing | Period of data retention |
Performance of a Sales agreement or an agreement for the provision of the Electronic service, or taking action at the request of the data subject prior to entering into the above-mentioned agreements | Art. 6 para. 1 (b) of the GDPR Regulation (performance of an agreement) – processing is necessary for the performance of an agreement to which the data subject is party or in order to take steps at the request of the data subject prior to entering into an agreement | The data shall be stored for the period necessary for the performance, termination or other expiration of the concluded Sales agreement or Electronic service agreement. |
Direct marketing | Art. 6 para. 1 (f) of the GDPR Regulation (legitimate interest of the Controller) – processing is necessary for the purposes resulting from the Controller’s legitimate interests, consisting in taking care of the Controller’s interests and good image, its Website and striving to sell the Products | The data shall be stored for the period of existence of the legally justified interest pursued by the Controller, however, no longer than for the period of the statute of limitations of the Controller’s claims against the data subject on account of the Controller’s economic activity. The period of limitation shall be determined by the provisions of law, in particular the Civil Code (the basic period of limitation for claims related to the conduct of business activities is three years, and for the Sales agreement – two years). The Controller may not process the data for direct marketing purposes in the event of an effective objection by the data subject. |
Marketing | Art. 6 para. 1 (a) of the GDPR Regulation (consent) – the data subject has given consent to the processing of his/her personal data for marketing purposes by the Controller | The data shall be stored until the data subject withdraws the consent to further processing for this purpose. |
Customer’s opinion on the concluded Sales agreement | Art. 6 para. 1 (a) of the GDPR Regulation – the data subject has consented to the processing of the personal data for the purpose of expressing an opinion | The data shall be stored until the data subject withdraws the consent to further processing for this purpose. |
Bookkeeping | Art. 6 para. 1 (c) of the GDPR Regulation in conjunction with art. 74 para. 2 of the Accounting act of 30 January 2018. (Journal of Laws 2018, item 395 as amended) – processing is necessary for compliance with a legal obligation to which the Controller is subject | The data is kept for the period required by the law requiring the Controller to keep accounts (5 years, counting from the beginning of the year following the financial year to which the data refers). |
Determining, pursuing or defending claims which the Controller may assert or which may be asserted against the Controller | Art. 6 para. 1 (f) of the GDPR Regulation (legitimate interest of the Controller) – processing is necessary for the purposes resulting from the Controller’s legitimate interests, consisting in establishing, pursuing or defending claims, which may be raised by the Controller or which may be raised against the Controller | The data shall be stored for the period of existence of the legally justified interest pursued by the Controller, however no longer than for the period of limitation of claims that may be raised against the Controller (the basic limitation period for claims against the Controller is six years). |
Using the Website and ensuring its proper functioning | Art. 6 para. 1 (f) of the GDPR Regulation (legitimate interest of the Controller) – processing is necessary for the purposes resulting from the Controller’s legitimate interests, consisting in running and maintaining the Website | The data shall be stored for the period of existence of the legally justified interest pursued by the Controller, however, no longer than for the period of the statute of limitations of the Controller’s claims against the data subject on account of the Controller’s economic activity. The period of limitation shall be determined by the provisions of law, in particular the Civil Code (the basic period of limitation for claims related to the conduct of business activities is three years, and for the Sales agreement – two years). |
Keeping statistics and Website traffic analyses | Art. 6 para. 1 (f) of the GDPR Regulation (legitimate interest of the Controller) – processing is necessary for the purposes resulting from the Controller’s legitimate interests, consisting in statistics and analysis of traffic on the Website in order to improve the functioning of the Website and increase sales of the Products | The data shall be stored for the period of existence of the legally justified interest pursued by the Controller, however, no longer than for the period of the statute of limitations of the Controller’s claims against the data subject on account of the Controller’s economic activity. The period of limitation shall be determined by the provisions of law, in particular the Civil Code (the basic period of limitation for claims related to the conduct of business activities is three years, and for the Sales agreement – two years). |
4. DATA RECIPIENTS ON THE WEBSITE
4.1. For proper functioning of the Website, including performance of the concluded Sales agreements, it is necessary for the Controller to use services of external entities (such as e.g. software provider, courier or payment processor). The Controller shall only use the services of sub-processors who provide sufficient guarantees of implementing adequate technical and organisational measures for the processing to meet the requirements of the GDPR Regulation and to protect the rights of data subjects.
4.2. Personal data may be transferred by the Controller to a third country, whereby the Controller ensures that, in such a case, this will be done in relation to a country ensuring an adequate level of protection – in accordance with the GDPR Regulation and, in the case of other countries, that the transfer will take place on the basis of standard data protection clauses. The Controller shall ensure that the data subject is able to obtain a copy of his/her data. The Controller shall transfer the personal data collected only if and to the extent necessary for the fulfilment of the given purpose of the processing in accordance with this Privacy policy.
4.3. Transfer of data by the Controller does not take place in every case and not to all recipients or categories of recipients indicated in the Privacy policy – the Controller transfers the data only if it is necessary for the implementation of a given purpose of personal data processing and only to the extent necessary for such implementation.
4.4. The personal data of the Service recipients and Customers of the Website may be transferred to the following recipients or categories of recipients:
1.1.1.carriers – in the case of the Customer who uses the courier for Product delivery under the Website, the Controller shall make the collected personal data of the Customer available to the selected courier, executing the shipment on the order of the Controller to the extent necessary to carry out the delivery of the Product to the Customer.
1.1.2.entities processing electronic or credit card payments – in the case of the Customer who uses the electronic or credit card payment method under the Website, the Controller shall make the collected personal data of the Customer available to a selected entity processing the aforementioned payments under the Website at the request of the Controller to the extent necessary to handle the payment made by the Customer.
1.1.3.crediting entities – in the case of the Customer who uses the payment in instalments under the Website, the Controller shall make the collected personal data of the Customer available to a selected entity processing the aforementioned payments under the Website at the request of the Controller to the extent necessary to handle the payment made by the Customer.
1.1.4.opinion poll system provider – in the case of the Customer who agreed to express an opinion on the Sales agreement concluded, the Controller makes the collected personal data of the Customer available to a selected entity providing a system of opinion polls on the Sales agreements concluded under the Website at the request of the Controller to the extent necessary to express an opinion by the Customer with the help of the opinion poll system.
1.1.5.service providers supplying the Controller with technical, IT and organisational solutions enabling the Controller to run its business, including the Website and the Electronic services provided by means of it (in particular, providers of computer software for running the Website, e-mail and hosting providers, and providers of business management and technical support software for the Controller) – the Controller shall make the collected personal data of the Customer available to the chosen provider acting on its behalf only in the case and to the extent necessary for the performance of the given purpose of data processing in accordance with this Privacy policy.
1.1.6.providers of accounting, legal and advisory services providing the Controller with accounting, legal or advisory support (in particular an accounting office, a law firm or a debt collection agency) – the Controller shall make the collected personal data of the Customer available to the selected provider acting on its behalf only in the case and to the extent necessary to carry out the given purpose of data processing in accordance with this Privacy policy.
1.1.7.(e.g. logging in with social network credentials) and to transfer the personal data of the visitor to these providers for this purpose, including:
1.1.7.1.Facebook Ireland Ltd. – the Controller uses Facebook social plug-ins on the Website (e.g. button Like, button Share or logging in with Facebook credentials) and therefore collects and discloses the personal data of the Customer using the Website to Facebook Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) to the extent and in accordance with the Privacy policy available at: https://www.facebook.com/about/privacy/ (this data includes information about your activities on the Website, including information about your device, the sites you visit, your purchases, the ads you see, and how you use the services – regardless of whether you have a Facebook account and are logged into Facebook).
5. PROFILING ON THE WEBSITE
5.1. The GDPR Regulation imposes an obligation on the Controller to inform about automated decision-making, including profiling as referred to in art. 22 para. 1 and 4 of the GDPR Regulation, and, at least in these cases, relevant information on the modalities of such decision-making, as well as on the significance and the expected consequences of such processing for the data subject. With this in mind, the Controller provides information on possible profiling in this point of the Privacy policy.
5.2. The Controller may use profiling on the Website for direct marketing purposes, but decisions made on its basis by the Controller do not concern concluding or refusing to conclude the Sales agreement or the possibility of using the Electronic services on the Website. The use of profiling on the Website may result, for example, in a person being given a discount, being sent a discount code, being reminded of unfinished purchases, being offered a Product that may match his/her interests or preferences, or being offered better terms compared to the Website’s standard offer. Despite the profiling, it is the individual who freely decides whether he/she wishes to take advantage of the discount received in this way or better conditions and make a purchase on the Website.
5.3. Profiling on the Website consists in automatic analysis or prediction of a given person’s behaviour on the Website, e.g. by adding a particular Product to the shopping cart, browsing a particular Product page on the Website or by analysing the history of purchases made on the Website to date. The condition for such profiling is that the Controller possesses the personal data of the person in question in order to be able to send him/her a discount code, for example.
5.4. The data subject shall have the right not to be subject to a decision which is based solely on automated processing, including profiling, and which produces legal effects concerning that person or significantly affects him/her in a similar manner.
6. RIGHTS OF THE DATA SUBJECT
6.1. Right to access, rectify, restrict the processing, delete or transfer – the data subject has the right to request from the Controller access to his/her personal data, rectify it, delete it (“right to be forgotten”) or restrict its processing, the right to object to processing and to transfer the data. The detailed conditions for exercising the rights indicated above are indicated in art. 15-21 of the GDPR Regulation.
6.2. Right to withdraw consent at any time – the person whose data is processed by the Controller on the basis of expressed consent (pursuant to art. 6 para. 1 (a) or art. 9 para. 2 (a) of the GDPR Regulation) is entitled to withdraw consent at any time without affecting the legality of the processing that was carried out on the basis of consent before its withdrawal.
6.4. Right to object – the data subject shall have the right to object at any time, on grounds relating to his/her particular situation, to the processing of personal data concerning him/her based on art. 6 para. 1 (e) (public interest or tasks) or (f) (legitimate interest of the controller), including profiling under these provisions. The Controller shall in that case no longer be permitted to process such personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or grounds for the establishment, exercise or defence of claims.
6.6. In order to exercise the rights referred to in this point of the Privacy policy, one can contact the Controller by sending a relevant message in writing or by e-mail to the Controller’s address indicated at the beginning of the Privacy policy or by using the contact form available on the Website.
7. WEBSITE COOKIES AND ANALYTICS
According to the supplier: own (created by the Controller’s Website) and belonging to third parties (other than the Controller) | According to the storage period on the device of the visitor accessing the Website: session (stored until you log out of the Website or close your web browser) and permanent (stored for a specific period defined by the parameters of each file or until manually deleted) | According to the purpose of their use: essential (to enable the proper functioning of the Website), functional/preferential (enabling the Website to adapt to the visitor’s preferences), analytical and performance (gathering information about how the Website is used),marketing, advertising and social network (collecting information about a visitor to the Website in order to display advertisements to that person, personalise them, measure effectiveness and conduct other marketing activities, including on websites other than the Website, such as social networking sites or other sites belonging to the same advertising networks as the Website) |
Purposes of cookies on the Controller’s Website | identifying the Service recipients as logged in to the Website and showing that they are logged in (essential cookies) |
remembering the Products added to the basket in order to place the Order (essential Cookies) | |
storing data from completed Order forms, surveys or login data to the Website (essential and/or functional/preferential cookies) | |
adjusting the content of the Website to the individual preferences of the Service recipient (e.g. as regards colours, font size, page layout) and optimising the use of the Website’s pages (functional/preference cookies) | |
keeping anonymous statistics showing how the Website is used (analytical and performance cookies) | |
displaying and rendering advertisements, limiting the number of times advertisements are displayed and ignoring advertisements which the Service recipient does not wish to see, measuring the effectiveness of advertisements and personalising them, i.e. studying the behavioural characteristics of visitors to the Website by analysing their actions anonymously (e.g. repeated visits to specific pages, keywords, etc.) in order to create their profile and to deliver advertisements to them tailored to their anticipated interests, also when they visit other websites on the advertising network of Google Ireland Ltd. and Facebook Ireland Ltd. (marketing, advertising and social network cookies) |
Chrome: (1) in the address bar, click on the lock icon on the left, (2) go to the “Cookies” tab. | Firefox: (1) in the address bar, click on the shield icon on the left, (2) go to the “Allowed” or “Blocked” tab, (3) click “Cross-site tracking cookies”, “Social media trackers” or “Tracking content” | Internet Explorer: (1) click the “Tools” menu, (2) go to the “Internet options” tab, (3) go to the “General” tab, (4) go to the “Settings” tab, (5) click the “View Files” box |
Opera: (1) in the address bar, click on the lock icon on the left, (2) go to the “Cookies” tab. | Safari: (1) click on the “Preferences” menu, (2) go to the “Privacy” tab, (3) click on the “Manage website data” box | Irrespective of the browser, using the tools available, for example, at: https://www.cookiemetrix.com/ or: https://www.cookie-checker.com/ |
7.7. The Controller may use Universal Analytics services on the Website provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). These services help the Controller keep statistics and analyse traffic on the Website. The data collected is processed as part of the above services to generate statistics to help administer the Website and analyse Website traffic. This data is aggregated. When using the above services on the Website, the Controller collects such data as the source and medium of acquisition of visitors to the Website and their behaviour on the Website, information about the devices and browsers used to access the Website, IP and domain, geographical data and demographic data (age, gender) and interests.
7.8. It is possible for the person concerned to easily block the provision of information to Google Analytics about his/her activities on the Website – for this purpose, you can, for example, install a browser add-on provided by Google Ireland Ltd. available at: https://tools.google.com/dlpage/gaoptout?hl=pl.
7.10. The Controller may use on the Website the Facebook Pixel service provided by Facebook Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland). This service helps the Controller measure the effectiveness of advertisements and analyse what actions visitors to the Website undertake, and display advertisements tailored to those individuals. You can find detailed information on how the Facebook Pixel works at: https://www.facebook.com/business/help/742478679120153?helpref=page_content.
7.11. You can manage the operation of the Facebook Pixel via the ad settings in your Facebook.com account: https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen.
8. FINAL PROVISIONS
8.1. The Website may contain links to other websites. The Controller urges you, when you go to other sites, to read the privacy policy established there. This Privacy policy applies only to the Controller’s Website.