I. General provisions
Administrator – OtoLandia Michał Witkowski registered in the Central Register and Information on Economic Activity of the Republic of Poland, conducted by the minister competent for economy, with the address of the place of business and the address for service at ul. Postępu 2, 02-676 Warsaw, NIP: 8212341454, REGON 382031958, email address: firstname.lastname@example.org, phone number: 502085385 Personal data – information about an identified or identifiable natural person, in particular based on such identifier as name, surname, PESEL, location data, internet identifier; GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC; Service – the internet service available at otolandia.pl, including the online store; User – any natural person visiting the Service or using one or more services provided within the Service; Store/Service Regulations – regulations of the online store/internet service, within the internet service available at: www.otolandia.pl, accessible at www.otolandia.pl
The primary goal of the Administrator is to ensure Users of the Service the protection of their privacy and to ensure compliance with the processing of their personal data, collected in connection with the activity of Users on the Service, with applicable legal regulations, including the GDPR.
II. Principles of personal data processing
- Personal data is processed by the Administrator
a) on the basis of Art. 6(1)(b) GDPR – for the purpose of providing services by the Administrator electronically, in particular services described in the Service Regulations, including services such as providing content in the Service, newsletter delivery service, adding comments to products, and displaying them in the Service, contact service with the Administrator using the contact form, account management service, and purchasing products offered in the Service;
b) on the basis of Art. 6(1)(b) GDPR – for the purpose of the performance of contracts concluded between the User and the Administrator within the online store available in the Service, including complaint handling;
c) on the basis of Art. 6(1)(b) GDPR – for the purpose of the performance of any other contracts concluded between the Administrator and the User within the Service or in connection with the Service, as well as outside the Service in the business activity conducted by the Administrator, whereby: (1) the processing referred to in points 1 to 3 above includes both taking actions before the conclusion of the contract at the request of the person whose data it concerns and the performance of the contract and takes place to the extent necessary to achieve the above-mentioned purposes; (2) providing personal data by the User to the extent necessary to achieve the above-mentioned purposes is necessary for the conclusion and performance of the contract; the consequence of not providing the mandatory required data is the non-conclusion of the contract or at least the impossibility of its performance, for which the Administrator is not responsible;
d) on the basis of Art. 6(1)(c) GDPR – for the purpose of fulfilling a legal obligation incumbent on the Administrator, e.g., resulting from accounting regulations, tax regulations, gambling regulations (in the scope of promotional lotteries);
e) on the basis of Art. 6(1)(f) GDPR – for the purposes of legitimate interests pursued by the Administrator, in particular such as:
pursuing or securing claims, processing data in situations where Users exercise the right to withdraw from the contract (the contract is then considered not concluded); handling requests or providing answers to questions sent via the contact form; conducting correspondence addressed to the Administrator in connection with its business activity, including sending offers, archiving offers submitted by the Administrator, as well as correspondence with the Administrator (if the contract is not concluded by the Administrator with the User); internal administrative purposes carried out within companies related to the Administrator; conducting quality analysis and statistics regarding the services provided, organizing and conducting contests and other marketing activities, conducting marketing of the Administrator's own products and services, conducting marketing within the newsletter sent to Users who have agreed to receive it, promoting the brand within social media portals, adapting the content of the Service page to individual user preferences and optimizing the use of the Service pages; conducting anonymous statistics showing the way the Service is used, tracking traffic within the Service page, the above also using data collected through cookies and other similar technologies; f) on the basis of a separate consent, i.e. on the basis of Art. 6(1)(a) GDPR, if giving such consent is necessary to ensure the legality of the processing of personal data and none of the above-mentioned legal bases for data processing applies, e.g. processing in connection with conducting recruitment proceedings; giving consent to the processing of personal data by the User in such a case is voluntary; the consent given by the User to the processing of personal data can be withdrawn at any time, which does not affect the legality of the processing carried out on the basis of the consent before its withdrawal.
The Administrator of personal data takes special care to protect the interests of the entities whose personal data is processed, and in particular ensures that: the data collected by him is processed in accordance with the law; they are collected for specified, lawful purposes and are not subject to further processing incompatible with these purposes; they remain substantively correct and adequate in relation to the purposes for which they are processed.
The Administrator processes personal data of Users visiting profiles run by the Administrator on social media (Facebook, Instagram), including those engaging in activities on these profiles. Data is processed solely for marketing activities – including promoting the Administrator's brand, activities, services, products – and for the purpose of building and maintaining communication, based on the legitimate interests of the Administrator.
III. User rights
- Each User has the right to:
access their personal data, i.e., the right to obtain confirmation whether the Administrator processes data and to what extent, and information about such processing, including the processing grounds; rectify data if the data processed by the Administrator is incorrect or incomplete; request the Administrator to delete data; request the Administrator to limit the processing of data; data portability, i.e., the right to receive personal data provided to the Administrator and transmit it to another administrator, in case the processing is based on consent or a contract and is carried out in an automated manner; object to the processing of personal data for purposes arising from the legitimate interests of the Administrator; object to processing for marketing purposes; withdraw consent to the processing of personal data at any time (without affecting the lawfulness of processing based on consent before its withdrawal); lodge a complaint with the Polish supervisory authority or the supervisory authority of another Member State of the European Union, in particular if, in the User's opinion, the processing of their personal data violates the GDPR (in Poland, since May 25, 2018, the President of the Office for Personal Data Protection serves as the supervisory authority).
- A request to exercise the above rights can be made through:
a written request sent to the Administrator's address, by email to: email@example.com
The request mentioned in point 2 above must be formulated precisely, specifying what request is to be fulfilled, the purposes of processing covered by the request, and the type of data processing the request concerns. If necessary, the Administrator is entitled to request clarification or supplementation of the application with data needed for the proper implementation of the request.
Within one month of receiving the request, the Administrator will inform the User about the actions taken in connection with the request. If necessary, the Administrator will inform the User of the need to extend the response time, stating the reason for the extension.
The response to the request will be made using the same means of communication that were used to submit the request. In the case of a written request, the response may be sent electronically to the email address provided by the User upon request.
IV. Period for which data is stored
Personal data processed for the conclusion or performance of a contract will be stored for the duration of the contract, and after its expiration - for the period necessary for post-sales customer service (e.g. complaint handling) and securing or pursuing any claims that may be due to the Administrator.
Personal data processed to fulfill a legal obligation of the Administrator will be processed until such legal obligation is fulfilled.
Personal data processed on the basis of separate consent will be stored until the consent is withdrawn.
Personal data processed for the purposes of the legitimate interests pursued by the Administrator will be processed until an objection to such processing is raised, unless the Administrator demonstrates the existence of overriding legitimate grounds for processing, overriding the interests, rights, and freedoms of the data subject, or grounds for establishing, investigating or defending against claims.
Personal data processed for marketing purposes will be processed until an objection to such processing is raised. In the event of an objection to the processing of personal data for marketing purposes, the personal data of such person - to the extent to which processing is related to marketing - will no longer be processed for marketing purposes.
V. Categories of data recipients
User personal data may be disclosed to employees and associates of the Administrator, entities affiliated with the Administrator, debt collection companies, postal operators, carriers, partners providing technical services, providers of hosting services and IT systems, subcontractors of the Administrator, other entities providing services to the Administrator, and employees or associates of such entities.
VI. Cookies and exploitation data
Cookies collect data on the User's use of the Service. This is primarily aimed at: facilitating the User's use of the Service, customizing the Service to the needs and expectations of a particular User (personalization of Service subpages), analyzing User traffic within the Service, and conducting marketing activities by the Administrator.
VII. Final provisions
The administrator of personal data applies technical and organizational measures to ensure the protection of processed personal data, appropriate to the threats and categories of personal data protected, in particular, secures personal data against unauthorized access, taking over by an unauthorized person, processing in violation of applicable laws, and against their alteration, loss, damage, or destruction.
Effective from February 1, 2019.