1.1. Administrator – Studio Impress Marta Trojanowska with registered office in Warsaw.
1.2. Personal data – all information of natural person identified or identifiable through one or a few special factors that determine physical, physiological, genetic, mental, economic, cultural or social identity, inclusive of device’s IP, data of location, Internet ID and information stored by means of cookie files and other similar technology.
1.4. GDPR – Resolution by the European Parliament and Council (UE) 2016/679, date of April 27th, 2016 on protection of natural persons with regard to processing of personal data and on free flow of such data and the repeal of Directive 95/45/WE.
1.5. Website – Web site managed by Administrator under address: martatrojanowska.com.
1.6. User – Each natural person visiting the Website or using one or a few services or functionalities described in Policy.
- DATA PROCESSING IN RELATION TO USE OF WEBSITE
2.1. In connection with the User’s use of the Website, the Administrator collects data to extent necessary for provision of respective services offered, and also information about the User’s activity on the Website. Detailed rules and purposes for processing of personal data stored while using the Website by the User, have been described below.
- PURPOSES AND LEGAL GROUNDS FOR DATA PROCESSING ON WEBSITE
– USE OF martatrojanowska.com WEBSITE
3.1. Personal data of all persons using the Website (inclusive of IP address or other identifiers and information stored by means of cookie files or other similar technologies), while not being registered Users (that is persons not owning a profile on the Website) are processed by the Administrator:
3.1.1. For the purpose of rendering services by electronic means within the scope of making contents collected on the Website, purchases made on the Website available to Users, making available contact forms – then the legal basis for the processing is indispensability of the processing for performance of the contract (Art. 6 Par. 1 (b) GDPR);
3.1.2. for the purpose of handling purchases made without registration on the Website – then the legal basis for the processing is indispensability of the processing for performance of the contract (Art. 6 Par. 1 (b) GDPR);
3.1.3. for the purpose of handling complaints – then the legal basis for the processing is indispensability of the processing for performance of the contract (Art. 6 Par. 1 (b) GDPR);
3.1.4. for analytical and statistical purposes – then the legal basis for the processing is the Administrator’s legitimate interest (Art. 6 Par. 1 (f) GDPR) consisting in conduction of analyses of Users’ activities, and also their preferences in order to improve applied functionalities and rendered services;
3.1.5. for the purpose of possible establishment and assertion of claims or defense against them – the legal basis for the processing is the Administrator’s legitimate interest (Art. 6 Par. 1 (f) GDPR) consisting in protection of his/her rights;
3.1.6. for Administrator’s and other entity’s marketing purposes – rules of processing personal data for marketing purposes have been described in “MARKETING” section.
User’s activity on the Website, inclusive of his/her personal data, are registered in system logs (specialized software used for storage of chronological records that contain information of occurrences and operations regarding IT system designed for providing the services by the Administrator). Collected information in logs are processed with respect to provision of services. Administrator also processes them for technical purposes, in particular data may be temporarily stored and processed in order to ensure security and proper performance of IT systems, e.g. in relation to creating back-up copies, IT system change tests, detecting irregularities or protecting from abuses and attacks.
– REGISTRATION ON THE WEBSITE – martatrojanowska.com
3.2. Persons, who register on the Website are requested to provide data necessary for creating and managing the account. In order to facilitate an operation, the User may provide additional data, thus giving his/her consent to their processing. Such data may be deleted at any time. Providing data labeled as obligatory is required to set up and run the account, and failure to provide them shall result in lack of possibility of establishing the account. Provision of remaining data is voluntary.
3.3. Personal data is processed:
3.3.1. for the purpose of rendering services related to management and operation of the account on the Website – the legal basis for the processing is indispensability of the processing for performance of the contract (Art. 6 Par. 1 (b) GDPR), and within the scope of data given optionally – the basis for the processing is the consent (Art. 6 Par. 1 (a) RODO)
3.3.2. for analytical and statistical purposes – the legal basis for the processing is the Administrator’s legitimate interest (Art. 6 Par. 1 (f) GDPR) consisting in conduction of analyses of Users’ activities and manner of use of the account, and also their preferences in order to improve applied functionalities;
3.3.3. for the purpose of possible establishment and assertion of claims or defense against them – the legal basis for the processing is the Administrator’s legitimate interest (Art. 6 Par. 1 (f) GDPR) consisting in protection of his/her rights;
3.3.4. for Administrator’s and other entity’s marketing purposes – rules of processing personal data for marketing purposes have been described in “MARKETING” section.
3.4. If the User places any personal data of other persons (including their name and surname, address, phone number or e-mail address) on the Website, he/she may only do it provided that regulations of effective law and personality rights of these persons are not infringed.
– PLACING ORDERS
3.5. Placing an order (purchase of merchandise or service) by the Website User entails the processing of his/her personal data. Providing data labeled as obligatory is required to accept and manage the order, and failure to provide them shall results in its non-execution. Provision of remaining data is voluntary.
3.6. Personal data is processed:
3.6.1. for the purpose of execution of an order placed – legal basis for the processing is indispensability of the processing for performance of the contract (Art. 6 Par. 1 (b) GDPR); within the scope of data given optionally, the legal basis for the processing is the consent (Art. 6 Par. 1 (a) GDPR);
3.6.2. for the purpose of meeting the statutory duties incumbent upon the Administrator, resulting in particular from tax and accounting laws – the legal basis for the processing is the legal obligation (Art. 6 Par. 1 (c) GDPR);
3.6.3. for analytical and statistical purposes – then the legal basis for the processing is the Administrator’s legitimate interest (Art. 6 Par. 1 (f) GDPR) consisting in conduction of analyses of Users’ activities on the Website, and also their purchasing preferences in order to improve applied functionalities;
3.6.4. for the purpose of possible establishment and assertion of claims or defense against them – the legal basis for the processing is the Administrator’s legitimate interest (Art. 6 Par. 1 (f) GDPR) consisting in protection of his/her rights;
– CONTACT FORMS
3.7. The administrator provides the possibility of contacting him/her by means of electronic contact forms. In order to use of the form, it is required to give personal data necessary for contacting with the User and replying an inquiry. The User may also provide other data in order to facilitate the contact or management of the inquiry. Providing data labeled as obligatory is required to accept and manage an inquiry, and failure to provide them shall result in lack of possibility of management. Provision of remaining data is voluntary.
3.8. Personal data is processed:
3.8.1. for the purpose of identification of a sender and management of his/her inquiry sent via available form – the legal basis for the processing is indispensability of the processing for performance of the contract on the service provision (Art. 6 Par. 1 (b) GDPR);
3.8.2. for analytical and statistical purposes – the legal basis for the processing is the Administrator’s legitimate interest (Art. 6 Par. 1 (f) GDPR) consisting in conduction of statistics of inquiries reported by Users via Website in order to improve its functionalities.
4.1. The Administrator processes Users’ personal data in order to implement marketing strategies, which may consists in:
4.1.1. displaying marketing contents for the User, which are not suited to his/her preferences (contextual advertising);
4.1.2. directing e-mail notifications of attractive offers or contents, which in some cases include commercial information;
4.1.3. carrying out other sorts of activities related to direct marketing of goods and services (sending commercial information by electronic means and telemarketing activities).
4.2. The Administrator processes Users’ personal data for marketing purposes in relation to directing the contextual advertising (that is, advertisement, which is not suited to User’s preferences) to Users. Processing of personal data is then held in view of satisfying the Administrator’s legitimate interest (Art. 6 Par. 1 (f) GDPR).
4.3. If the User has agreed to receiving marketing information via e-mail, text messages and other means of electronic communication, the User’s personal data may be processed for the purpose of sending such information. The basis for the processing of data is the Administrator’s legitimate interest consisting in sending marketing information within the limits of consent given by the User (direct marketing). The User is entitled to object to the processing of data for the needs for direct marketing, inclusive of profiling. Data shall be stored to this end for the period of existence of the legitimate interest of Empik, unless the User objects to receiving marketing information.
- SOCIAL NETWORKING SITES
5.1. The Administrator processes Users’ personal data by visiting Administrator’s accounts managed on the social networking sites (Facebook, YouTube, Instagram, Twitter, Google +, Pinterest). This data is processed solely in connection to management of the account, including for the purpose of notifying Users of the Administrator’s activity and promoting a variety of events, services and products, and also for the purpose of communication with users by means of functionalities available in social media. The legal basis for the processing of personal data by the Administrator to this end is his/her legitimate interest (Art. 6 Par. 1 (f) GDPR) consisting in promoting own trademark as well as building and maintaining the community attached to trademark.
- COOKIE FILES AND SIMILAR TECHNOLOGY
6.1. Cookie files are small text files installed in device of the User browsing the Website. Cookie files collect information that facilitate use of the website – e.g. by memorizing the User’s visits to the Website and activities performed by him/her.
6.2. The Administrator uses a so-called cookie file for the purpose of delivering services provided by electronic means to the User and improving the quality of these services. Therefore, the Administrator and other entities rendering analytical and statistical services for him/her use cookie files, storing information or gaining access to information already stored in the User’s telecommunications terminal device (computer, phone, tablet etc.). Cookie files used to this end comprise:
6.2.1. cookie files with data keyed in by the User (session ID) for the duration of the session (Eng. user input cookies);
6.2.2. authentication cookie files used for services that require an authentication for the duration of the session (Eng. authentication cookies);
6.2.3. cookie files used for ensuring the security, e.g. used for detecting frauds in terms of authentication (Eng. user centric security cookies);
6.2.4. multimedia player session cookie files (e.g. flash player cookie files), for the duration of the session (Eng. multimedia player session cookies);
6.2.5. permanent cookie files used for personalization of the User’s interface for the duration of the session or longer (Eng. user interface customization cookies);
6.2.6. cookie files used for memorizing the shopping cart contents for the duration of the session (Eng. shopping cart cookies);
6.2.7. cookie files used for monitoring of the website traffic, i.e. data analytics, inclusive of Google Analytics cookies (these are the files used by the Google company for the purpose of analysis of the method of the Website use by the User, for preparation of statistics and reports concerning the Website performance). Google does not use collected data for identification of the User or does not combine these pieces of information to enable identification. Detailed information of the scope and terms of collecting data may be found by clicking the link: https://www.google.com/intl/pl/policies/privacy/partners.
- PERIOD OF THE PROCESSING OF PERSONAL DATA
7.1. Period of data processing by the Administrator is dependent on the type of provided service and purpose of such processing. As a rule, data is processed through the period of provision of the service or execution of the order, until the time of withdrawing the given consent or raising an effective objection to data processing in cases when the legal basis for the processing of data is the Administrator’s legitimate interest.
7.2. Period of data processing may be extended in case when processing is indispensable for establishment and assertion of possible claims or defense against them, and after that time solely in case and to the extent, to which it shall be required by legal regulations. After lapse of the period of data processing, data shall be irretrievably deleted or anonymized.
- USER’S RIGHTS
8.1. Data subjects shall exercise the following rights:
8.1.1. Right to information concerning personal data processing – the Administrator shall on these grounds convey a piece of information on personal data processing, inclusive first and foremost of purposes and legal bases for the processing, extent of possessed data, entities, to whom personal data is disclosed and scheduled date of their deletion, to the person reporting such request;
8.1.2. Right to gain the copy of data – the Administrator shall on these grounds convey the copy of processed data, concerning a person reporting the request;
8.1.3. Right of rectification – the Administrator shall on these grounds remove possible inaccuracies or errors pertinent to personal data processed, and shall supplement or update it of they are incomplete or have undergone modifications;
8.1.4. Right to erasure of data – data subjects shall on these grounds be entitled to request the erasure of data, processing of which is no longer indispensable for pursuing any objectives, for the needs of which they have been collected;
8.1.5. Right to restriction of processing – the Administrator shall on these grounds discontinue the practice of running operations using personal data, except for operations, to which the data subject has agreed to and for their storage, pursuant to adopted rules of retention, or until the reasons for restriction of data processing are no longer applicable (e.g. a decision that permits further processing of data shall be issued by supervisory authority);
8.1.6. Right to data portability – on these grounds, to the extent, to which data is processed with respect to concluded agreement or given consent, the Administrator shall issue data delivered by the data subject in format enabling their readout on the computer. Request for sending this data to other entity shall also be possible – however, on condition that technical capacities exist in this area both on the Administrator’s part and that other entity’s part;
8.1.7. Right to object to the processing of data for marketing purposes – the data subject may at any time object to the processing of personal data for marketing purposes, without necessity to justify such objection;
8.1.8. Right to object to other purposes of data processing – the data subject mat at any time object to the processing of personal data on grounds of the Administrator’s legitimate interest (e.g. for analytical or statistical purposes or for reasons of the protection of property). Objection in this regard shall include justification and be liable to Administrator’s judgment;
8.1.9. Right to withdraw consent – if data is processed based on consent, the data subject shall be entitled to withdraw it at any time, which however does not affect the lawfulness of the processing effected before withdrawal of this consent;
8.1.10 Right to lodge a complaint – in case it is satisfied that the processing of personal data infringes GDPR regulations or other laws regarding the protection of personal data, the data subject shall be entitled to file a complaint to the President of the Office for Personal Data Protection.
8.2. Proposal for the exercise of data subjects’ rights may be submitted:
8.2.1. in the written form to address: Studio Impress Marta Trojanowska, ul. Studencka 51, 02-735 Warszawa.
8.2.2. by e-mail to address: email@example.com.
8.3. Proposal should if possible accurately indicate what a given request concerns, i.e. in particular:
8.3.1. what sort of right a petitioner wishes to exercise (e.g. right to receive data copies, right to erase data, etc.);
8.3.2. what sort of the processing a request concerns (e.g. use of specific service, activity on a particular website, obtaining a newsletter containing commercial information at the specific e-mail address, etc.);
8.3.3. what purposes of the processing a request concerns (e.g. marketing, analytical purposes etc.).
8.4. If the Administrator is unable to establish the contents of request or identify the person submitting a proposal based on application filed, shall address the applicant for additional information.
8.5. Reply to applications shall be given within a month of its receipt. In case of necessity of prolongation of this period, the Administrator shall notify the applicant of reasons for such prolongation.
8.6. Reply shall be given to e-mail address, from which an application has been sent, and in case of applications addressed by letter, by ordinary letter to address indicated by the applicant provided that will to receive the feedback to mailing address (in such case, e-mail address should be provided) does not follow from contents of the letter.
- DATA RECIPIENTS
9.1. Considering performance of services, personal data shall be disclosed to external entities, inclusive particularly of suppliers in charge of IT systems operations, entities such as banks and payment operators, entities rendering accounting, legal, auditing, consulting services, couriers (in relation to execution of an order), marketing agencies (in the area of marketing services) as well as entities related to the Administrator, including companies of his capital group and trading partners, i.e. entrepreneurs managing partner stores.
9.2. In case of obtaining the User’s consent, his/her data may also be made available to other entities to their own ends, marketing targets included.
9.3. The Administrator reserves the right to disclose particular information relating to the User to competent authorities or third parties, who shall submit a request for receiving such information, relying on appropriate legal basis and in accordance with effective laws.
- TRANSFERS OF DATA OUTSIDE EEA
10.1. Level of the protection of personal data outside the European Economic Area (EEA) is different from that guaranteed by the European law. For this reason, the Administrator transfers data outside EEA only if necessary, and by ensuring an appropriate level of protection, first and foremost by:
10.1.1. co-operation with entities processing personal data in states, in respect of which the relevant decision has been issued by the European Commission;
10.1.2. use of the standard contractual clauses issued by the European Commission;
10.1.3. use of binding corporate regulations, approved by the competent supervisory authority;
10.1.4. in case of transfers of data to USA – co-operation with entities participating in the Privacy Shield program, approved by the European Commission’s decision.
10.2. The Administrator shall always apprise of the intention of transferring the personal data outside EEA at the stage of their collection.
- PERSONAL DATA SECURITY
11.1. The Administrator shall conduct a risk analysis on an ongoing basis in order to ensure that personal data is processed by him/her in a safe way – first of all guaranteeing that only authorized persons can access data and solely to the extent, to which it is necessary due to tasks fulfilled by them. The Administrator cares that all operations based on personal data are recorded and carried out by authorized employees and co-workers only.
11.2. The Administrator shall undertake all necessary steps to ensure that also his/her subcontractors and other co-operating entities can guarantee the exercise of appropriate safety measures in each case when they process personal data by the Administrator’s request.
- CONTACT DATA
12.1. Contact with the Administrator is possible via e-mail address: firstname.lastname@example.org or the address for correspondence: Studio Impress Marta Trojanowska, ul. Studencka 51, 02-735 Warszawa.
13.1. Policy is verified on a current basis and if necessary, updated.