- The owner of the Service and at the same time the Data Controller is Laboratorium Kosmetyczne Dr Irena ERIS Sp. z o.o. placed in Piaseczno, ul. Armii Krajowej 12, 05-500 Piaseczno, Poland registered in the District Court for the Capital City Warsaw, XIV Economic Department of National Court Register KRS 0000370362, share capital 200 200 000,00 PLN, (200.2 million zloty) fully paid, VAT no 5272642206,, hereinafter referred to as the Company.
- Personal data collected by the Company through the Service are processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (general regulation on data protection), also called the GDPR.
- The Company uses special diligence to respect the privacy of Customers visiting the Service.
§ 1 Type of data processed, purposes and legal basis
- The Company collects information about persons carrying out legal actions not directly related to their business activities, natural persons conducting business or professional activities on their own behalf, and natural persons representing legal persons or organizational units which are not legal persons, to whom the law confers legal capacity, conducting their own on behalf of business or professional activity, hereinafter collectively referred to as Customers.
- When using the Service Website, additional information may be downloaded, in particular: the IP address assigned to the Customer’s computer or the external IP address of the Internet provider, domain name, type of browser, access time, type of operating system.
- Navigation data may also be collected from Customers, including information about links in which they decide to click or other activities undertaken in our Service. Legal basis – a legitimate interest (art. 6 par. 1 f) of the GDPR), consisting in facilitating the use of electronic services and improving the functionality of these services.
- In order to determine, pursue and enforce claims, certain personal data provided by the Customer may be processed as part of using the functionality in the Service, such as: name, surname, data regarding the use of services, if the claims result from the manner in which the Customer uses services, other data necessary to prove the existence of the claim, including the extent of the damage suffered. Legal basis – a legitimate interest (Art. 6 par. 1 f) of the GDPR), consisting in establishing, pursuing and enforcing claims, as well as defending against claims in proceedings before courts and other state authorities.
- The transfer of personal data to the Company is voluntary in connection with the provision of services via the Website.
§ 2 To whom data is shared or entrusted and how long they are stored?
- The Customer’s personal data is provided to service providers used by the Company when operating the Service. Service providers to whom personal data are transferred, depending on contractual arrangements and circumstances, or are subject to the Company’s instructions as to the purposes and methods of processing this data (processing entities).
- Customers’ personal data are stored:
a) If the basis for the processing of personal data is consent, then the Customer’s personal data are processed by the Company until the consent is revoked, and after revoking the consent for a period of time corresponding to the limitation period of claims that the Company may raise and which may be raised against her. Unless a special provision provides otherwise, the limitation period is six years, and for claims for periodic benefits and claims related to business activity – three years.
b) If the basis for data processing is the performance of the contract, then the Customer’s personal data is processed by the Company as long as it is necessary to perform the contract, and after that time for a period corresponding to the period of limitation of claims. Unless a special provision provides otherwise, the limitation period is six years, and for claims for periodic benefits and claims related to business activity – three years.
- Navigation data can be used to provide customers with better service, statistical data analysis and adapt the Service to customer preferences, as well as to administer the Service.
- In the event of a request being made, the Company provides personal data to authorized state bodies, in particular organizational units of the Prosecutor’s Office, the Police, the President of the Office for Personal Data Protection, the President of the Office for Competition and Consumer Protection or the President of the Office of Electronic Communications.
§ 3 Cookies mechanism, IP address
- The Service uses small files called cookies. They are saved by the Company on the terminal equipment of the person visiting the Service, if the web browser allows it. A cookie usually contains the name of the domain from which it comes, its “expiry time” and an individual, randomly selected number identifying this file. Information collected using this type of files helps to tailor the products offered by the Company to the individual preferences and real needs of visitors to the Service. They also give the opportunity to compile general statistics of visits to the presented products in the Service.
- The company uses two types of cookies:
a) Session Cookies: after the browser session ends or the computer is turned off, the saved information is deleted from the device’s memory. The mechanism does not allow session cookies to retrieve any personal data or any confidential information from Customers’ computer.
b) Persistent Cookies: they are stored in the memory of the Customer’s end device and remain there until they are deleted or expire. The mechanism of persistent cookies does not allow you to download any personal data or any confidential information from Customers’ computer.
- The company uses its own cookies to:
a) analysis and research and audience audit, and in particular to create anonymous statistics that help understand how customers use the Service Website, which allows improving its structure and content.
- The company uses external cookies to: a) collecting general and anonymous static data via Google Analytics analytical tools (external cookie administrator: Google Inc. based in the USA).
- The cookie mechanism is safe for computers of Service Customers. In particular, it is not possible for viruses or other unwanted software or malware to enter your Customer’s computers in this way. Nevertheless, in their browsers, Customers have the option of limiting or disabling cookies’ access to computers. If you use this option, you will be able to use the Service, in addition to functions that by their nature require cookies.
- The way to disable Cookies in individual browsers can be found in your browser settings. In case of problems, please check the help option of your search engine.
- The Company may collect Customer’s IP addresses. The IP address is the number assigned to the computer of the person visiting the Service by the internet service provider. The IP number allows access to the Internet. In most cases, it is assigned to the computer dynamically, i.e. it changes every time you connect to the Internet. The IP address is used by the Company when diagnosing technical problems with the server, creating statistical analyzes (e.g. determining from which regions we record the most visits), as information useful in administering and improving the Service, as well as for security purposes and possible identification burdening the server, unwanted automatic programs to view the content of the Service.
§ 4 Rights of data subjects
- Right to withdraw consent – legal basis: art. 7 point 3 GDPR.
a) The Customer has the right to withdraw any consent given to the Company.
b) Withdrawal of consent has effect from the moment of withdrawal of consent.
c) Withdrawal of consent does not affect the processing carried out by the Company in accordance with the law before its withdrawal.
d) Withdrawal of consent does not entail any negative consequences for the Customer, however, it may prevent further use of the services or functionalities which, according to the law, the Company may only provide with consent.
- Right to object to data processing – legal basis: art. 21 GDPR.
a) The Customer has the right to object at any time – for reasons related to his particular situation – to the processing of his personal data, including profiling, if the Company processes its data based on a legitimate interest, e.g. marketing of the Company’s products and services, conducting statistics on the use of individual functionalities of the Service and facilitating the use of the Service, as well as satisfaction surveys.
b) If the Customer’s objection turns out to be well founded and the Company has no other legal basis to process personal data, the Customer’s personal data will be deleted, for the processing of which the Customer has objected.
- The right to delete data (“right to be forgotten”) – legal basis: art. 17 RODO.
a) The Customer has the right to request the erasure of all or some personal data.
b) The Customer has the right to request the removal of personal data, if:
i. personal data are no longer necessary for the purposes for which they were collected or for which they were processed;
ii. withdrew specific consent to the extent to which personal data were processed based on his consent;
iii. objected to the use of his data for marketing purposes;
iv. personal data is processed unlawfully;
v. personal data must be deleted in order to comply with a legal obligation under Union law or the law of the Member State to which the Company is subject;
vi. personal data has been collected in connection with offering information society services.
c) Despite the request to delete personal data, in connection with an objection or withdrawal of consent, the Company may retain certain personal data to the extent that the processing is necessary to establish, assert or defend claims, as well as to comply with a legal obligation requiring processing on under Union or Member State law to which the Company is subject. This applies in particular to personal data including: name, surname, e-mail address, which are stored for the purposes of examining complaints and claims related to the use of the Company’s services, or additionally the address of residence / correspondence address, order number, which are kept for the purposes of examining complaints and claims related to concluded sales contracts or provision of services.
- The right to limit data processing – legal basis: art. 18 GDPR.
a) The Customer has the right to request a restriction of the processing of his personal data. Submission of the request, until it is considered, prevents the use of certain functionalities or services, the use of which will involve the processing of the data covered by the request. The company will also not send any messages, including marketing messages.
b) The customer has the right to request the restriction of the use of personal data in the following cases:
i. when it contests the correctness of its personal data – then the Company limits its use for the time needed to check the correctness of the data, but no longer than for 7 days;
ii. if the processing of data is unlawful, and instead of deleting the data, the Customer will request to limit their use;
iii. when personal data cease to be necessary for the purposes for which they were collected or used but they are needed by the Customer to determine, assert or defend claims;
iv. when he objected to the use of his data – then the restriction occurs for the time needed to consider whether – due to the special situation – the protection of the interests, rights and freedoms of the Customer outweighs the interests that the Controller carries out by processing the Customer’s personal data.
- Right of access to data – legal basis: art. 15 GDPR.
a) The Customer has the right to obtain from the Controller confirmation whether he is processing personal data, and if this is the case, the Customer has the right:
i. gain access to personal data;
ii. obtain information about the purposes of processing, categories of personal data processed, about recipients or categories of recipients of these data, the planned period of storing the Customer’s data or about the criteria for determining this period (when determining the planned period of data processing is not possible), about the rights of the Customer under the GDPR and on the right to lodge a complaint with the supervisory authority, on the source of this data, on automated decision-making, including profiling, and on the safeguards used in connection with the transfer of such data outside the European Union;
iii. obtain a copy of the personal data.
- Right to rectify data – legal basis: art.16 GDPR.
- Right to data portability – legal basis: art. 20 GDPR.
a) The Customer has the right to receive his personal data provided by the Controller, and then send it to another personal data controller of his choice. The Customer also has the right to request that personal data be sent by the Controller directly to such an administrator, if it is technically possible. In this case, the Controller will send the Customer’s personal data in the form of a csv file, which is a commonly used, machine-readable format that allows the received data to be sent to another personal data controller.
- In the event of the Customer exercising the right resulting from the above rights, the Company shall comply with the request or refuse to comply with it immediately, but not later than within one month after receiving it. However, if – due to the complex nature of the request or the number of requests – the Company will not be able to comply with the request within a month, it will meet them within the next two months informing the Customer in advance within one month of receiving the request – about the intended extension of the deadline and its reasons.
- The Customer may submit to the Controller complaints, queries and requests regarding the processing of his personal data and the exercise of his rights.
- The customer has the right to lodge a complaint to the President of the Office for Personal Data Protection regarding the violation of his rights to the protection of personal data or other rights granted under the GDPR.
§ 5 Services tailored to your preferences and interests (profiling)
- Profiling means any form of automated processing of personal data that involves the use of personal data to evaluate certain personal factors of a natural person, in particular to analyze or forecast aspects of the natural person’s work effects, his economic situation, health, personal preferences, interests, credibility, behavior, location or movement.
- Customers’ personal data may be processed in an automated way (profiling), however, this will not have any legal effect on them or similarly significantly affect the situation of customers.
- The profiling of personal data by the Company consists in processing Customer’s data in an automated and manual manner, by using them to evaluate some information about the Customer, in particular to analyze or forecast his personal preferences and interests.
- In order to reach the Customer with marketing messages via the Service Website, the Company uses its own cookie mechanisms to download information about the Customer’s activity on the Service Website. Details regarding cookies used can be found in §3. Legal basis – legitimate interest (art. 6 par. 1 f) of the GDPR), consisting in matching marketing messages to preferences and interests.
- Date of entry into force ………………………