www.skyflar.com on-line shop
We value your privacy and want you to feel comfortable while using our services, therefore we drafted this document which aims to give you detailed information about processing your personal data.
Table of contents:
- General Information
- On – line shop’s personal data recipients
- Acquisition, storage, scope and purpose of personal data processing
- Data subject rights.
- Cookie files mechanism, exploring data and analytics
- Final Provisions
The data administrator of the on – line Shop’s Users and Clients personal data, in compliance with the General Data Protection Resolution (GDPR) – number 2016/679, issued on the 27th of April 2016 r. jointly by The EU Parliament and Council, which can be viewed in full using this link: http://eur-lex.europa.eu/legal-content, is Skyflar sp. z o.o. (limited liability company) seated in Ełk, zip code 19-300, Poland, 5/1 Stary Rynek Street, National Court Register number 0000652530, registered in the District Court of Olsztyn, VIIIth Economic Department, taxpayer ID number: 8481866153, state statistical number: 366072444, share capital: 5 000 PLN, represented by Ewa Szwajka – Chairwoman of the Board and Paweł Szwajka – Member of the Board, contact number: +48 796 213 418, e – mail address: firstname.lastname@example.org email@example.com – hereinafter referred to as The Administrator.
- The Users personal data is being processed in accordance with data protection applicable laws and the on – line supplied services bill, established on the 18th f July 2002 (ustawa o świadczeniu usług drogą elektroniczą).
- The hereby given document is of an informative purpose and character. Which means it is not a source of the Users or Clients obligations. It’s purpose is to set forth The Administrator’s actions regarding personal data protection and processing, and to describe the relevant and attached to the on – line shop services, tools and functionalities that are being used along by the shop’s Clients, such as registering an account, placing an order, using the contact form, newsletter subscription, or other actions that may arise from using the on – line shop’s website.
2. General Information
- The personal data Administrator makes every useful and necessary effort to protect the interests of the people whose personal data he collects (stores, processes) and to ensure a proper data protection policy within his on – line shop. He carefully selects the data protection measures whether organizational or IT programming related, to provide wholesome security from data leakage, sharing, unauthorized disclosure, access, modification or processing infringing the applicable laws.
- The Administrator hereby states that the on – line shop is using the security data transfer providing protocol, that is the installed SSL protocol (Secure Socket Layer v3). It is a type of security measure which encrypts the data before it’s transfer from The Client’s browser and decrypts the data after it’s safe transfer to the shop’s server. The information send from The Client’s server is also encrypted and after reaching it’s purpose decrypted.
- The data is collected in an orderly manner in defined and legally available (applicable) purposes, the Administrator makes sure not to further process the collected data in any illegal or infringing towards the established data protection laws way. The Administrator hereby states that the collected data is stored in a manner enabling to identify the person it regards, not longer than it needs to fulfill the data collection purpose. All the collected data is protected using reasonable technical means and measures as well as data protection programs and policies to ensure the data will not get breached, infringed or leaked. Every reasonable measure is taken to protect the collected data from an unauthorized access or illegal breach.
- The Administrator has the right but also a statutory obligation to disclose Client related data to public authorities for example in case of an ongoing investigation or proceeding regarding breaking the law or other entities entitled to gain such data in accordance with the applicable existing laws.
- Using the services and tools provided by the on – line shop’s infrastructure as well as submitting personal data is voluntary, however failing to submit some of the required on the website and in Terms and Regulations personal data will likely result in failing to conclude the on – line sales agreement. The scope of the personal data necessary to conclude an on – line sales agreement is established on the shop’s website as well as in it’s Terms and Regulations.
3. on – line shop’s personal data recipients
- In order to ensure a proper functioning of the on – line shop, and by that meaning making sure to properly execute and complete the concluded on – line sales agreements the administrator uses outside entities (third parties). The administrator transfers the personal data to the outside entities only when it is critical to complete one of the data processing purpose and only in a scope critical to it’s execution (completion, accomplishment).
- Exemplary recipients of the on – line shop’s personal data are:
- Carrier companies, forwarding agents – in case The Client chooses to ship his products
- Entities carrying out the on – line payment systems – The Administrator entrust The Client’s personal data to the company carrying out the payment in the necessary to complete the service scope
- Entities providing analytics systems regarding the on – line traffic at the on – line shop, systems to analyze the effectiveness of on – line marketing campaigns, entities carrying out marketing campaigns
- Service providers regarding the on – line shop’s performance enhancement, such as software providers, mailing system providers, hosting providers
- Book keeping entities
- Entities offering their services via the on – line shop
- The outside entities (third parties) process the entrusted personal data in accordance with the aforementioned agreements with the administrator and also by the rules set forth in their own terms and regulations and privacy policies.
- The Administrator entrust his Clients personal data processing the following entities:
- Dhosting.pl sp. z o.o., Al. Jerozolimskie 98, 00-607 Warszawa. KRS: 0000336780, NIP: 7010198361, REGON: 149988822 – for the purpose of storing the data on a server on which the shop is installed
- Clivio Katarzyna Meszka ul. Romańska 14, 97-330 Sulejów, NIP: 7712782209, REGON: 101620724 – for the purpose of maintain the shop’s on – line infrastructure
- FT Audytor sp. z o.o. ul. Wojska Polskiego 59, 19-300 Ełk, KRS: 0000349605, NIP: 8481834302, REGON: 280480365 – for the purpose of providing the on – line shop’s book keeping
- d) Allekurier Sp. z o.o., ul. Balicka 12a/b4, 30-149 Kraków, KRS: 0000430370, NIP: 6772370941 REGON: 122640506 – for the purpose of providing the ordered product’s delivery
- e) Poczta Polska S.A, ul. Rodziny Hiszpańskich 8 00-940 Warszawa, KRS: 0000334972, NIP: 5250007313, REGON: 010684960 – for the purpose of providing the ordered product’s delivery
- f) PayPal Polska Sp. z o.o., ul. Emilii Plater 53, 00-113 Warszawa, KRS: 0000289372, NIP: 5252406419, REGON: 141108225 – for the purpose of providing on – line payment system for the ordered products
- g) Pozytywne Media Marcin Kusideł, ul. Dolna 11, 00-773 Warszawa, NIP: 7712266643, REGON: 142225074 – for the purpose of carrying out marketing services
4. personal data collecting, storing, purpose and processing actions
- The Administrator acquires user information for example via storing server logs through the hosting operator, IP addresses, the software and equipment parameters, website browsing, ID number of the mobile device and other data concerning the devices and systems usage. Collecting such data will be subsequent to using the on – line shop. Such data is not used by The Administrator with the purpose of identifying the User/Client.
- The Administrator may also collect navigation data, including information about links and reference link or other actions that The User/Client undertakes so as to simplify the use of the on – line services and to enhance their functionality.
- The Administrator reserves the right to filter and block the messages sent through the internal messaging system, especially when the messages are spam, or contain forbidden content or otherwise threaten the security of the on – line shop’s Users.
- The Administrator processes The Clients personal data in the following purposes:
- Place and order
- To complete and execute actions before entering into agreement with the Client, to guarantee a full range of customer service within the on –line shop, such as creating and managing a Client’s account, contacting The Users in response to their contact form requests, or through e – mail
- Enter into and execution of a sales agreement or enter into and execute an electronic service supply agreement
- Cover and compete the complaint procedures
- Direct marketing of the Shop’s products or services
- Adjusting the user’s offers and experiences, including advertisements in the Shop’s features
- To monitor all and each User’s activities within the on – line Shop
- Contacting the Users particularly in terms of service providing purposes, customer service and permitted marketing and advertising actions
- Perform exams and evaluations as well as analysis towards the available services improvement
- Execute the proper implementation and following of the Terms and Regulations
- Sending out Newsletter service
- Analytics to enhance the offered services.
- The Administrator informs that he collects, stores and processes the following Client/User data: name, surname, housing address, telephone number, e – mail address. Towards the Clients who are not Consumers Administrator may also process their taxpayer ID number, company’s name and address.
CONTACT WITH THE CLIENT
- The Administrator may store within his on – line Shop data containing information helpful in establishing contact with The Client, in order to send them notifications or payment related feedback. Processing data with this intention is in accordance with the article 6 section 1 letter A of GDPR and article 6 section 1 letter F of GDPR.
REGISTERING AN ACCOUNT
- User data that the user enters while registering in the on – line shop are being collected upon the user’s consent, therefore governed by the article 6 section 1 letter A of GDPR if the user will enter into an on – line agreement his data will be processed upon the article 6 section 1 letter B.
- Placing and order within the shop The Client enters his personal data which are being used to execute the on – line sales agreement in relation to the order’s completion (article 6 section 1 letter B of GDPR), issuing an invoice and carrying out action according to the tax law regulations (article 6 section 1 letter C of GDPR). For the archive and statistics purpose the data will be processed upon The Administrator’s justified cause (article 6 section 1 letter F of GDPR).
- The basis for data processing regarding determine, making claims or defending The Administrator’s rights is article 6 section 1 letter F of GDPR.
- Order data will be processed in the time necessary to complete the order and then until the time arising from the limitation (claims) periods, further the order data may be processed for statistical purposes.
- The on – line shop offers a newsletter on – line service. Data submitted to subscribe is used solely for that purpose upon the user’s consent (article 6 section 1 letter A of GDPR).
- The voluntary consent to receive the newsletter service may be withdrawn at any time via a written statement by the subscriber to quit. The Administrator will immediately no longer than 48 hours since receiving the withdrawal statement erase the submitted in order to subscribe data from his newsletter contact base.
- Using the newsletter on – line service one can correct or ask to erase ones submitted data quitting the newsletter or execute the right to data portability (article 20 of GDPR)
- The Administrator enables to make contact with him using the website’s contact form which is interactive. Using the contact form means that one has to enter personal data that will allow to contact the user and give him a response. The User may also enter additional data that will make it easier to contact him, or commission a service. The data marked as compulsory is critical to process the user’s question or problem and failing to submit it may result in failing to complete the service. Submitting other data is voluntary.
- The legal basis for processing data is article 6 section 1 letter B of GDPR.
- For statistical and analytic purposes the legal basis for data processing is the administrator justified cause (article 6 section 1 letter F of GDPR).
SOCIAL MEDIA TOOLS
- The website uses social media plugins such as Facebook, Twitter, Instagram, Pinetrest. Entering such page the user’s browser establishes a direct connection with those services servers administrators. The plugin content is transmitted directly to the user’s browser and integrated with the site. If the user is logged in to one of those social media services the service provider will be able to adjust such visit on a given site to the user’s profile on this social media service. The purpose and scope of data processing and further processing and use by the service providers as well as contact information and the user’s rights as well as the ability to change such settings is set forth and established In those services privacy policies respectively.
- The Administrator informs that he uses the Google Ads service to promote his on – line shop in the browsing results and on third parties websites. Automatically during visiting the shop’s website on every visiting user’s device Google leaves it’s remarketing cookie file, which using a nicknamed ID and viewing the browsing history enables to display personalised and reflecting the user’s interest ads. The Google Ads service is being provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA, 94043, USA, which joined the Privacy Shield program regarding a proper security of data processing measures – that reflect those used within the EU.
5. Data subject rights
- The GDPR resolution gives the users several fundamental rights and prerogatives which are listed and described below. They are not however absolute and will not apply in every data processing case. If the user wishes to execute one of the following rights he is required to send out a written statement to the administrator’s e – mail address or using his seat address.
- Right of access by the data subject, article 15 GDPR
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
(f) the right to lodge a complaint with a supervisory authority.
- Right to rectification, article 16 GDPR
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
- Right to erasure (‘right to be forgotten’), article 17 GDPR
- The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- b) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
- c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
- d) the personal data have been unlawfully processed;
- e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
- f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
- Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
- Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
- a) for exercising the right of freedom of expression and information;
- b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
- d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- e) for the establishment, exercise or defence of legal claims.
- Conditions for consent, article 7, section 3 GDPR
The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
- Right to object, article 21 GDPR
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
- Right to restriction of processing, article 18 GDPR. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
- a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
- b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
- d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
- Right to data portability, article 20 GDPR
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
- The subject shall also have the right to file a claim with The Chairman of the Data Protection Office (Urząd Ochrony Danych Osobowych) regarding a brach to his personal data protection rights or other rights granted by the GDPR.
- For direct marketing purposes the website Administrator can use profiling, but decisions made based on such profiling do not concern concluding an agreement or denial of such action, nor the sole ability to use on – line services.
- As a result of profiling the user may get a discount, may be notified about remaining items in his cart, may get propositions regarding purchasing new products customized to his preferences.
- Ultimately though, it is an independent decision made by the user if he wants to use and benefit from proposed discounts or notifications. Profiling means an automatic analysis or prognosis regarding one’s behavior shown on the shop’s website based on, for example, types of products previously browsed or bought. The user must consent to let the administrator use profiling in his case (say yes to the discount etc.).
- Every user has a right to protest the automatic decision making and profiling regarding his own website history and let the administrator know that one no longer wishes to be profiled, if such profiling or automatic decision making devices directly affects or concerns that person, or has other significant impact regarding that person.
7. Cookie File Policy, operational data and analytics
- The Administrator automatically collects the Cookie files information in order to store data surrounding the use of his on – line Shop by its Clients. Cookie files comprise of a short text fragment which is sent by the on – line service to the User’s browser and which is being send back in future entrances of the given website. They are mostly used to maintain the session i.e. through generating and sending back a temporary login ID.
- The Administrator uses the “session” Cookie files stored on the Client’s DTE until his logging out, the website’s shut down, or the browser’s shut down, as well as “permanent” Cookie files, stored on the Client’s DTE for a definite time period, established in the Cookie files parameters or as long as the Client does not erases them.
- The Administrator uses the exterior Cookie files for the following purposes:
- To collect general and anonymous statistic data using the analytics tools: Google Analytics (the cookies administrator is Google Inc. based in USA)
- To use the interactive features to popularize the on – line shop on social media platforms such as Facebook (the cookies administrator is Facebook Inc. based in USA or Facebook Ireland based in Ireland)
- The Cookie files adjust and optimize the on – line Shop and it’s offer towards the Customer’s wishes and needs through actions such as creating statistics of the websites unique hits and providing protection to the site’s Users. Cookie files are also necessary to maintain the User’s session after he leaves the on – line Shop.
- The Administrator informs that he uses the Google Analytics tracking code – to analyse the sites statistics and for Google Ads purposes.
- The Administrator uses Facebook Pixel – to follow actions related to the shop’s ads on the Facebook platform, the information collected via pixel is anonymous and prohibit the Administrator to identify a specific person. To learn more about this please visit: https://www.facebook.com/privacy/explanation. Additionally, the subscriber’s e – mail may be disclosed to Facebook, to target and custom certain marketing techniques and enable to better customer – focused on – line ads.
- The Client may at all times alter his Cookie files settings, he may also block the possibility to store and collect the Cookie files.
- Blocking the Cookie files storage ability or entering other changes in the Cookie files settings on the Clients DTE may harm or worsen and sometimes even prevent to use the on – line Shop’s services, including placing an order.
- The Client who does not want the Cookie files to be used in all the above mentioned purposes may erase them manually at all times. To get to know the proper and whole instruction The Client is advised to enter the browser’s producer’s website, which the Client currently uses. More information regarding the Cookie files can be found in the help menu of every internet browser. For example, Cookie files operating browsers include Internet Explorer, Mozilla Firefox, Google Chrome, Opera.
- Some outside entities operating within the on – line Shop enable Users to revoke their consent to store and collect data regarding advertising purposes based on the Client’s activity. More information regarding this topic, as well as the choosing rights, can be obtained from the www.youronlinechoices.com website. You can block sharing the information on your on – line shop activity gathered by Google Analytics by using the following link: https://tools.google.com/dlpage/gaoptout?hl=pl
8. Final Provisions