We know very well that security and privacy are important to you. For us, they are equally important. Our priority is to provide you with a high level of protection and to ensure that your data is always accessible and secure. We process personal data and share it with others only within the limits of the law, and only when it is most necessary. We make every effort to ensure that your privacy is not violated.
1. General provisions
1.3. Personal data is information about an identified or identifiable natural person to whom the data relates, i.e. one who can be identified, directly or indirectly, in particular by reference to an identifier (characteristic) such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person..
1.4. Processing means an operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, ordering, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination, adjustment or combination, restriction, erasure or destruction.
1.5. Your personal data shall be processed in accordance with the applicable legislation, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in relation to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: "GDPR") and the Act of 10 May 2018 on the protection of personal data.
1.6. In order to ensure the security of your personal data, we use appropriate technical and organisational measures for the secure processing of personal data.
2. Data Controller
Your data are jointly controlled by:
- MPP sp. z o.o. with a seat at 36-062 Zaczernie 190, entered into the Register of Entrepreneurs kept by the District Court in Rzeszów, 12th Commercial Division of the National Court Register (KRS) against KRS number: 0000259700, with share capital of 50,000.00 PLN, Tax Identification Number (NIP): 8133469935, National Business Registry Number (REGON): 180149478; contact in writing to the above address, or by e-mail to firstname.lastname@example.org
- Piotr Leszczyński, conducting business operation under the name: najlepszefoto.pl Piotr Leszczyński with a seat at Zaczernie 190, 36-062 Zaczernie, Tax Identification Number (NIP): 8132260802, National Business Registry Number (REGON): 691668352, contact in writing to the above address, or by e-mail to email@example.com.
- Focus sp. z o.o. with a seat at 36-062 Zaczernie 190, entered into the Register of Entrepreneurs kept by the District Court in Rzeszów, 12th Commercial Division of the National Court Register (KRS) against KRS number: 0000815538, o with share capital of 5,000.00 PLN, Tax Identification Number (NIP): 5170403426, National Business Registry Number (REGON): 384947680, contact in writing to the above address, or by e-mail to firstname.lastname@example.org
referred to collectively as the Controller, in this Policy.
The Joint Controllers have entered into a personal data co-management agreement specifying the mutual obligations arising from the joint control of data.
3. The scope of Customers' personal data subject to processing
3.1. The following Customer personal data are subject to processing by the Controller:
a) Customer data provided during registration on the website and used on the Order Form, in particular: first name, last name, residential address, delivery address, e-mail address, phone number, date of birth, and in the case of Customers who are not Consumers, additionally company name and Tax Identification Number (NIP);
b) Customer personal data provided to the Controller via the account held on Facebook or Google, if the Customer has selected this Registration option (see clause 9.2.);
d) Customer data relating to the Purchase Order placed via the Website, including the Customer's data contained in the files provided by the Customer and the Designs produced;
e) other Customer data voluntarily provided by the Customer by means of electronic templates available on the Website or by any other form of contact with the Controller's consultant.
3.2. Given the fact that the services offered on the Website are dedicated to adults, the Controller does not knowingly process any personal data of children using the services.
4. Purposes of and legal grounds for processing Customers' personal data
4.1. The Customers' personal data are or may be processed:
a) in order to conclude and perform an agreement executed through the Website – in this case processing by the Controller is necessary for the conclusion and performance of the agreement to which the Customer is a party, or to take action at the Customer's request, prior to the conclusion of the agreement (Art. 6(1)(b) GDPR);
b) for the purpose of Registration to and maintaining an Account on the Website - in this case data processing by the Controller is necessary for the performance of the agreement for the delivery of services by electronic means, to which the Customer is a party, or to take action at the Customer's request, prior to the conclusion of the agreement (Art. 6.1.b GDPR);
c) for the purpose of delivering the Newsletter – in this case data processing by the Controller is based on the Customer's consent (Art. 6(1)(a) GDPR);
d) in order to handle the matter described by the Customer in the electronic form available on the Website or during a chat with the Customer's account manager – in this case data processing by the Controller is necessary for the conclusion and performance of the agreement for the delivery of services by electronic means (Article 6(1)(b) GDPR), and also takes place based on the Controller's legitimate interest (Article 6(1)(f) GDPR) which involves sales support;
e) in order to deliver services by electronic means, i.e. to make it possible for Customers to view, reproduce and read the information and materials accessible on the Website – in this case the processing of data by the Controller is necessary for the performance of the agreement to which the Customer is a party (Art. 6(1)(b) GDPR);
f) in order to make it possible to make the Design on the Website – in this case the processing of data by the Controller is necessary for the performance of the agreement to which the Customer is a party (Art. 6(1)(b) GDPR);
g) for the purposes of the Controller's legitimate interests relating to the operation of the Website, conducting analysis of the Customer's use of the Website, and ensuring the security and reliability of the services provided on the Website and in the Store (Article 6(1)(f) GDPR);
h) for the purposes of the Controller's legitimate interests, which may include, but are not limited to, determination, investigation and defence of claims, prevention and investigation of criminal offences, management and further growth of the business, including risk management (Article 6(1)(f) GDPR);
i) to assess Customer satisfaction (e.g. through surveys sent to Customers by email) - data processing carried out by the Controller is based on the Controller's legitimate interest (Art. 6(1)(f) GDPR);
j) for the purposes of direct marketing carried out by the Controller, related to selection of goods and services to meet the Customers' needs (including profiling), based on cookies and other similar technologies referred to in point 10 – in this case data processing is carried out by the Controller based on the Controller's legitimate interest (Article 6(1)(f) GDPR);
k) for the Controller's marketing purposes arising from the consent given by the Customer (Art. 6(1)(a) GDPR);
l) to ensure compliance with the legal obligations applicable to the Controller (in particular those arising from the provisions of the Accounting Act and tax laws), where the processing is necessary for the fulfilment of a legal obligation incumbent on the Controller (Article 6(1)(c) GDPR).
4.2. Personal data are provided on the Website voluntarily , however they may be necessary for the performance of one or more of the services and purposes of personal data processing set out in 4.1 above, which the Controller will not be able to execute unless personal data have been provided.
4.3. The Customer's personal data collected through contact between the Customer and persons acting on behalf of the Controller, including via the helpline or through contact with the Customer's account manager, is used solely for the purpose of contacting the Customer and providing information and advice to the Customer.
5. The duration of the Customer's personal data processing
5.1. The Controller shall process the Customer's personal data in the manner and for the period necessary for the fulfilment of the purposes for which the data were collected.
5.2. If the data are processed:
a) in order to enter into and perform an agreement (including a sales contract) - the Customer's data will be processed throughout the validity period and during the performance of the agreement;
b) based on the Customer's consent - the Customer's data will be processed until such consent is withdrawn;
c) to ensure compliance with the legal obligations applicable to the Controller - the Customer's data will be processed for the period required by law;
d) for the Controller's direct marketing purposes, including selection of goods and services to meet the Customers' needs (profiling) - the Customer's data will be processed until the Customer raises an objection;
e) in relation to other legitimate interests of the Controller - the data will be processed until the objection raised by the Customer has been accepted, or until the expiry of the prescription period for that claim.
5.3. At the end of the processing period, the data are deleted or made anonymous.
6. Customer's rights and obligations
6.1. Where the processing of personal data takes place pursuant to the Customer's consent, such consent is voluntary and may be withdrawn at any time, without affecting the lawfulness of the processing carried out prior to the withdrawal of consent. The declaration of withdrawal of consent should be made by e-mail, to the Controller's address specified in clause 2.
6.2. The customer shall also have the following rights:
a) to have his/her personal data deleted;
b) to restrict the processing of his/her personal data;
c) to access the content of his/her data as well as to rectify (amend) it;
d) to obtain a copy of his/her data or to have them transferred, whereby this right shall not adversely affect the rights and freedoms of others (including trade secrets or intellectual property rights) and shall be exercised to the extent which is technically feasible;
e) to object to the processing of his/her personal data when the processing is based on a legitimate interest of the Controller or a third party.
6.3. The Controller will exercise the Customer's rights, subject to the exceptions set out in the provisions of GDPR.
6.4. As registered users, the Customers may also correct or update by themselves the personal data related to the Account. To do this, it is necessary log into the Account, go to the "Account Settings" tab and enter the relevant changes in the Personal Data field.
6.5. To exercise the rights set out in 6.1 and 6.2, an e-mail should be sent to the address of any of the Joint Controllers - if the Customer's personal data is processed in connection to an agreement to which the Controller is a party, and in other cases concerning the processing of the Customer's personal data, in connection with his/her use of the Website.
6.6. The customer may lodge a complaint with the supervisory authority of the President of the Office for Personal Data Protection if he/she believes that the processing of data affecting him/her violates the provisions of GDPR.
6.7. All and any incidents which impact or may impact the security of personal data on the Website (including any cases of suspected sharing of files containing viruses, files of a similar nature, or any files other than destructive mechanisms) shall be promptly reported by the Customer to the e-mail address of any Joint Controller.
7. Entities which may receive access to Customers' personal data
7.1. The Controller shall disclose the Customers' personal data if there is a legal basis for doing so, in particular when it is necessary for the delivery of the services provided to the Customers.
7.2. Customers' personal data may also be disclosed at a request of public authorities or other entities entitled to acquire such information by law, in particular when this is necessary to ensure the security of the Controller's systems..
7.3. Entities which may receive access to Customers' personal data include, in particular::
7.3.1.entities entitled to obtain the Customer's data on the basis of applicable legal provisions;
7.3.2. entities whose services are used by the Controller to deliver goods and services to Customers, in particular:
a) entities delivering IT services or providing access to IT systems for the Controller;
b) enterprises rendering the services related to supply and maintenance of software used to operate the Website;
c) payment system operators;
d) postal and courier service providers;
e) law firms, consulting firms with which the Controller cooperates;
7.3.3. the Controller's trusted marketing partners; the current list of these is attached as Appendix 1 hereto.
8. Transfers of data outside the EEA
8.1. The Controller shall transfer personal data outside the European Economic Area (EEA) only when necessary and with an adequate level of protection, to be ensured in particular by:
a) cooperation with entities that process personal data in countries for which a relevant decision of the European Commission has been issued;
b) application of the standard contractual clauses issued by the European Commission;
c) application of binding corporate rules approved by the competent supervisory authority.
8.2. Where applicable, the Controller shall always give notice of its intention to transfer personal data outside the EEA at the time they are being collected. Upon request, the Controller shall provide the Customer with a copy of his/her data that will be transferred outside the EEA.
11. Processing of Third Party's personal data
11.1. If the Customer posts any personal data of Third Parties on the Website, he/she may only do so on the condition that he/she does not violate the provisions of the applicable law and the personal rights of these individuals. Third Parties are natural persons whose personal data the Customer posts on the Website or as part of the Design submitted.
11.2. The Controller may process Third Party personal data entrusted to them by the Customer, if the Customer confirms that he/she is entitled to transfer the personal data of such Third Party.
11.3. In the cases where the Customer posts Third Party data on the Website or within the Design performed, as part of an activity other than purely personal or domestic operation, the Customer acts as a controller of such data within the meaning of the provisions of the GDPR.
11.4. In the case referred to in clause 11.3 above, the Customer shall enter into an agreement with the Controller, entrusting the processing of the Third Party's data under the terms of clauses 11.5 - 11.10 below..
11.5. Third Party Data, entrusted by the Customer, will be processed by the Controller for the purpose of the proper performance of the agreement for the provision of electronic services concluded with the Customer - in connection with the Customer's use of the Website or the delivery of the Order.
11.6. The data entrusted includes all personal data of Third Parties provided in connection with the Customer's use of the Website or in connection with an Order placed, in particular: name, address, gender, image, date of birth or age.
11.7. The Customer agrees for the Third Party data to be further entrusted for processing (so-called sub-entrustment), in connection with the performance of the agreement concluded with the Customer.
11.8. Third Party data entrusted by the Customer shall be processed by the Controller, in accordance with Art. 28 GDPR.
11.9. Third Party personal data may also be processed by the Controller if it is necessary to establish, assert or defend against claims - the legal basis for the processing is the Controller's legitimate interest (Article 6(1)(f) GDPR) in protecting their rights.
11.10. If the Controller becomes aware that Third Party personal data are processed by the Controller in violation of the provisions of GDPR, or applicable laws or in conflict with Third Party personal rights, the Controller shall take steps to delete such data as soon as possible.
12. Final Provisions
12.2. A change to the annexes of this Policy does not constitute an amendment to the Policy.
12.3. The current version is available on the Website.
List of Controller's trusted marketing partners to whom Customers' personal data may be transferred:
a) Google LLC in connection to the use of Google Analytics tools;
b) Hubspot Inc. in connection to the use of Hubspot marketing tools;
c) Smartlook.com, s.r.o., Reg. no.: 09508830 in connection to the use of the Smartlook tool for the analysis of user activity on websites (heatmap);
d) Facebook in connection to the use of the Pixel tool;
e) SurveySparrow Inc. in connection to the use of customer satisfaction survey tools;
f) Trustpilot A/S (registration number 30276582), in connection to the use of customer satisfaction measuring tools;
g) Ringier Axel Springer Polska Sp. z o.o. in connection to the cooperation with Opineo - in order to improve the quality of services through customer feedback;
h) GetResponse S.A. in connection to the use of GetResponse marketing tools;
i) Refericon Sp. z o.o. in connection to the use of the referral programme.