We are certain safety and privacy are important for you. They are equally important for us. Our priority is to ensure high protection level to our Customers and guarantee their data is always available and secure. We process personal data and share it with others solely as specified by the applicable law and only when this is most required. We try to ensure your privacy is not compromised.
1. General provisions
1.2. The terms not defined herein shall be construed as specified in the Website Rules.
1.3. Personal data is information concerning an identified or identifiable data subject, e.g. the one who can be identified directly or indirectly, including but not limited to based on such an identifier (property) as name and surname, ID number, location data, Internet identifier or one or more factors describing the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
1.4. Processing means an operation or a set of operations made on personal data or personal data sets in an automated or non-automated way, including collection, saving, organising, ordering, storing, adapting or modifying, downloading, browsing, using, disclosing, sharing, matching or combining, limiting, deleting or destroying.
1.5. Customers' personal data is processed in accordance with the applicable regulations, including but not limited to the Regulation of the European Parliament and the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as "GDPR") and the Act of 10 May 2018 on protecting personal data.
1.6. To ensure security of the Customers' personal data, we apply relevant technical and organisation measures related to personal data processing security.
2. Data Controller
2.1. The Data Controller for the Customers' personal data is Cyfrowa Foto Spółka z ograniczoną odpowiedzialnością, with its registered seat in Zaczernie, Zaczernie 190, 36–062 Zaczernie, entered in the National Court Register, Register of Entrepreneurs under KRS no. 0000259700, Tax Identification No. (NIP): 8133469935, REGON 180149478 (hereinafter "Cyfrowa Foto"). You can contact us in writing at our postal address or at email address firstname.lastname@example.org
3. Scope of the Customer's personal data processed
3.1. The scope of the Customer's personal data processed by the Data Controller comprises:
a) Customer's data provided when filling in the Registration Form, including name and surname, address, delivery address, email address, phone number, date of birth, and for customers other than Consumers also the company name and Tax Identification Number;
b) Customer's data, shared with the Data Controller via Facebook, if the Customer selected to register via Facebook (see 9.4);
c) Customer's data obtained by the Data Controller in connection with using cookie files or other, similar technologies (see 10);
d) Customer's data concerning the Order placed by them on the Website, including Customer's data included in the files shared by the Customer and Designs made;
e) other data of the Customer, shared by the Customer voluntarily using electronic forms available on the Website or another form of contact with the Data Controller's consultant.
3.2 As the services offered via the Website are dedicated to adults, the Data Controller does not process personal data of children using the services offered by them, provided they are aware of that.
4. Purposes and legal grounds of processing the Customers' personal data
4.1. The personal data of the Customers is or can be processed:
a) to execute and perform the sales agreement, executed via the Website — in this case processing by the Data Controller is required to execute and perform the agreement the Customer is a party to or to initiate any activities at the Customer's request, before the agreement is executed (Article 6(1)(b) GDPR);
b) to register and keep the Account on the Website — in this case processing by the Data Controller is required to perform the agreement on providing electronic services the Customer is a party to or to initiate any activities at the Customer's request, before the agreement is executed (Article 6(1)(b) GDPR);
c) to deliver a Newsletter — data processing by the Data Controller takes place in this case based on the Customer's consent (Article 6(1)(a) GDPR);
d) to act as described by the Customer in the electronic form available on the Website or in a chat with the account manager — in this case data processing by the Data Controller is required to execute and perform the agreement on providing electronic services (Article 6(1)(b) GDPR) and takes placed based on the legitimate interest of the Data Controller (Article 6(1)(f) GDPR) consisting in supporting sales;
e) to provide electronic services in relation to enabling the Customers to browse, play and read the information and materials shared on the Website — in this case data processing by the Data Controller is required to perform the agreement the Customer is a party to (Article 6(1)(b) GDPR);
f) to enable Design performance on the Website — in this case data processing by the Data Controller is required to perform the agreement the Customer is a party to (Article 6(1)(b) GDPR);
g) to pursue the legitimate interests of the Data Controller, related to running the Website, including analysing the use of the Website by the Customer, ensuring security and reliability of services provided via the Website and the Shop (Article 6(1)(f) GDPR);
h) to pursue the legitimate interests of the Data Controller which may include e.g. identification, pursuing and defending claims, preventing offences and running investigations related to them, managing business activity and its further development, including risk management (Article 6(1)(f) GDPR);
i) to survey Customer satisfaction (e.g. by surveys sent to the Customers in an electronic format) — in this case data processing by the Data Controller is based on the Data Controller's legitimate interest (Article 6(1)(f) GDPR);
j) for purposes of the Data Controller's direct marketing, including the choice of goods and services for the Customers' needs (including profiling) based on cookie files and other similar technologies, mentioned in section 10 — in this case data processing by the Data Controller is based on the Data Controller's legitimate interest (Article 6(1)(f) GDPR);
k) for marketing purposes of the Data Controller, resulting from the consent granted by the Customer (Article 6(1)(a) GDPR);
l) to ensure compliance with the legal obligations imposed on the Data Controller (including but not limited to the ones resulting from the Accounting Act and tax regulations), when the processing is required to fulfil the legal obligation of the Data Controller (Article 6(1)(c) GDPR).
4.2. Personal data is provided voluntarily on the Website, but it may be required to pursue one or more purposes and goals of personal data processing, as stipulated in 3.1 above, which the Data Controller will not be able to pursue unless the personal data is provided.
4.3. The Customer's personal data gathered in direct contacts of the Customer with people representing the Data Controller, including via the hotline or in contacts with the account manager, is used solely for contacting the Customer and providing them with information and advice.
5. Term of processing the Customer's personal data
5.1. The Data Controller processes the Customer's personal data in a way and for the period required to pursue the goals which the data was collected for.
5.2. If the data is collected:
a) to execute and perform the agreement (including sales agreement) — the Customer's data will be processed for the term of the agreement validity and performance;
b) based on the Customer's consent — the Customer's data will be processed until the consent is revoked;
c) to ensure compliance with the legal obligations of the Data Controller — the Customer's data will be processed for the term required by the applicable regulations;
d) for the purposes of the Data Controller's direct marketing, including the choice of goods and services for the Customer's needs (profiling) — the Customer's data will be processed until the Customer objects to it;
e) for the purposes of pursuing other legitimate interests of the Data Controller — the data will be processed until the objections made by the Customer are accepted or the limitation period expires.
5.3. After the processing period expires, the data is deleted or anonymised.
6. Customer's rights and obligations
6.1. If the personal data is processed based on the consent granted by the Customer, such a consent is voluntary and can be revoked any time, without affecting the legality of processing before the consent was revoked. The opt-out statement should be submitted by email at the Data Controller's address mentioned in 6.5.
6.2. The Customer shall have the following rights:
a) to have their personal data deleted;
b) to have processing of their personal data limited;
c) to access their personal data and adjust it (correct it);
d) to receive a copy of their personal data or have it transferred, this title not affecting the rights and freedoms of other people in any adverse way (including any business secrets and intellectual property rights) and being exercised in the scope possible for technical reasons;
e) to object to having their personal data processed if the processing is based on the legitimate interest of the Data Controller or any third party.
6.3. The Data Controller shall exercise the Customer's rights, with a reservation of the exceptions mentioned in the GDPR provisions.
6.4. A registered Customer may also adjust or update their personal data. For that purpose log in the Account, go to the "Account Settings" tab and make the relevant changes in the Personal Data fields.
6.5. To exercise the rights stipulated in 6.1 and 6.2., send an email to the Data Controller's address, i.e. email@example.com if the Customer's personal data is processed in connection with the sales agreement the Data Controller is a subject to, and also in any other cases related to processing the Customer's personal data in connection with their use of the Website.
6.6. The Customer shall be authorised to make a complaint to the supervisory body Autoriteit Persoonsgegevens, if they believe processing of their personal data violates GDPR provisions.
6.7. Any incidents compromising or likely to compromise personal data security in the Website (including the suspected sharing of files containing viruses or other files of a similar nature or other than the malware files) shall be reported by the Customer immediately at: firstname.lastname@example.org
8. Data transfer outside the EEA
8.1. The Data Controller shall transfer the personal data outside the European Economic Area (EEA) only when this is required, ensuring the appropriate protection level, primarily by means of:
a) cooperating with personal data processors in countries with respect to which a relevant decision of the European Commission was issued;
b) applying standard contractual clauses issued by the European Commission;
c) applying binding corporate rules, approved by the competent supervisory body;
d) with respect to transferring the data to the U.S. — cooperation with entities participating in the Privacy Shield scheme, approved by the Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-US Privacy Shield (the list of this scheme participants is available at: https://www.privacyshield.gov/list).
8.2. Whenever applicable, the Data Controller always informs of their intention to transfer the personal data outside the EEA when it is collected. At the Customer's request, the Data Controller shall make a copy of their data which will be transferred outside the EEA available to them.
11. Processing third party personal data
11.1. If the Customer shares any third party personal data via the Website, they can do it solely provided they do not violate the legal regulations and personal interests of such people. Third people include individuals whose personal data is placed by the Customer on the website or when submitting or performing the Design.
11.2. The Data Controller may process the third party personal data entrusted to them by the Customer if the Customer confirms they are authorised to share such third party personal data.
11.3. If the Customer places any third party personal data on the Website or when performing the Design, within any other activity than the purely personal or domestic one, the Customer becomes the controller of such data as construed under GDPR.
11.4. In the circumstances mentioned in 11.3 above, the Customer executes the data processing agreement for the third party data with the Data Controller as stipulated in 11.6 to 11.10 below.
11.5. Third party data entrusted by the Customer shall be processed by the Data Controller to ensure proper performance of the agreement to provide electronic services executed with the Customer, in connection with the Customer's use of the Website or Order performance.
11.6. The scope of the entrusted data shall cover any third party personal data entrusted in connection with the Customer's use of the Website or with the Order placed, including but not limited to the name and surname, address, gender, image, date of birth or age.
11.7. The Customer agrees to have the third party personal data processing entrusted further to execute the agreement executed with the Customer.
11.8. The third party personal data entrusted by the Customer shall be processed as appropriate by the Data Controller pursuant to Article 28 of GDPR.
11.9. The third party personal data may be processed also by the Data Controller to determine and pursue claims or defend against them, with the legal grounds for processing being the legitimate interest of the Data Controller (Article 6(1)(f) GDPR), consisting in protecting their rights.
11.10. If the Data Controller believes the third party personal data is processed by the Data Controller violating GDPR regulations, provisions of the applicable law or personal interests of the third parties, the Data Controller shall initiate measures to delete such data as soon as possible.
12. Final provisions
12.2. The updated version is available on the Website.