1. GENERAL PROVISIONS
- The terms not defined herein may have a meaning given to them in the Regulations of the Website.
- Personal information means any information relating to an identified or identifiable natural person (“data subject”), i.e. a person who can be identified, directly or indirectly, in particular by reference to an identifier (feature) such as: name and surname, identification number, location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person.
- Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- The Customers’ personal data are processed in accordance with the applicable regulations, particularly the Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as “GDPR”) and the Act of 10 May 2018 on personal data protection.
- In order to ensure security of the Customers’ personal data, we implement the appropriate technical and organisational measures in terms of security of personal data processing.
2. DATA CONTROLLER
We inform that the Joint Controller of your personal data is:
- Focus sp. z o.o. with its registered office at 36-062 Zaczernie 190, entered into the Register of Entrepreneurs kept by the District Court in Rzeszów, 12th Commercial Division of the National Court Register under KRS number: 0000815538, with the share capital of PLN 5,000.00, NIP [tax identification number]: 5170403426, REGON [statistical identification number]: 384947680,
- Nphoto sp. z o.o. with its registered office at 36-062 Zaczernie 190, entered into the Register of Entrepreneurs kept by the District Court in Rzeszów, 12th Commercial Division of the National Court Register under KRS number: 0000815539, with the share capital of PLN 5,000.00, NIP [tax identification number]: 5170403403, REGON [statistical identification number]: 384947615,
- ColorlandTeam sp. z o.o. with its registered office at 36-062 Zaczernie 190, entered into the Register of Entrepreneurs kept by the District Court in Rzeszów, 12th Commercial Division of the National Court Register under KRS number: 0000813857, with the share capital of PLN 5,000.00, NIP [tax identification number]: 5170403260, REGON [statistical identification number]: 3848634270,
- Cyfrowa Foto sp. z o.o. with its registered office at 36-062 Zaczernie 190, entered into the Register of Entrepreneurs kept by the District Court in Rzeszów, 12th Commercial Division of the National Court Register under KRS number: 0000259700, with the share capital of PLN 50,000.00, NIP [tax identification number]: 180149478, REGON [statistical identification number]: 180149478,
- Piotr Leszczyński, conducting economic activity under the name najlepszefoto.pl Piotr Leszczyński with its registered office at Zaczernie 190, 36-062 Zaczernie, NIP [tax identification number]: 8132260802, REGON [statistical identification number]:691668352,
If the content hereof uses the term Controller, it shall refer to the above-mentioned Joint Controllers.
Within the framework of the contract on joint control concluded between the Joint Controllers, it was agreed that:
- Each of the Joint Controllers is obliged to ensure security of Personal Data processing by implementation of the appropriate technical and organisational measures, appropriate to the type of Personal data processed and the risk of violating the rights of persons to whom these data relate.
- The Joint Controllers agree that in terms of fulfilling the disclosure obligation in relation to persons to whom these data relate, as well as giving the answer to the request of the person to whom these data relate (to exercise the right to access the Personal Data, correct, erase, restrict the processing, transfer the Personal data, oppose to the processing of Personal data) the competent person shall be the Joint Controller 1
- In the case when the request referred to in paragraph 2 above is, on the basis of the Art. 26(3) of the GDPR, sent to any other Joint Controllers, the Joint Controller to whom the request has been sent is obliged to immediately inform the Joint Controllers about every request received from the entitled person within the framework of exercising by this person the rights resulting from the GDPR and to communicate the content of the request with any necessary information which makes it possible to give the answer. In such a case, the Joint Controller 1 is obliged to give the answer after establishing a common position.
- Notwithstanding the regulations referred to in paragraph 3 above, the Joint Controller 2-5 is obliged to cooperate with the Joint Controller 1 in terms of giving the answer to the requests of the person to whom the data relate, fulfilling these requests and giving all necessary information in this regard to the Joint Controller 1.
- The Joint Controllers shall designate a single contact point for all requests concerning personal data of persons to whom the data relate, that is an e-mail address: firstname.lastname@example.org and postal address: Cyfrowa Foto Sp. z o.o. Zaczernie 190, 36 – 062 Zaczernie.
3. SCOPE OF THE CUSTOMER’S PERSONAL DATA PROCESSED
- The scope of the Customer’s personal data processed by the Joint Controller shall comprise:
- Customer’s data provided when filling in the Registration Form: name, surname, address of residence, delivery address, e-mail address, phone number, date of birth (voluntarily) and in the case of the Customers who are not the Consumers, additionally the company name and NIP number [tax identification number];
- Customer’s data made available to the Controller via Facebook, if the Customer has selected the option of Registration via Facebook (see paragraph 9.4.);
- Customer’s data obtained by the Controller in connection with using cookie files and other similar technologies (see paragraph 10);
- Customer’s data regarding the Order placed on the Website, including Customer’s data contained in the files and completed Projects which the Customer has made available;
- other Customer’s data voluntarily provided by the Customer by means of electronic forms available on the Website or other contacts with the Controller’s consultant.
- Due to the fact that the services offered within the framework of the Website are dedicated to adult persons, the Joint Controllers do not deliberately process the personal data of children using the services.
4. PURPOSES AND LEGAL GROUNDS FOR PROCESSING THE CUSTOMERS’ PERSONAL DATA
- The Customers’ personal data are or may be processed by the Joint Controllers:
- in order to conclude and perform a contract on sales concluded via the Website – in this case, processing is necessary to conclude and perform the contract to which the Customer is a party or to take measures at the Customer’s request before the contract is concluded (Art. 6(1)(b) of the GDPR);
- for the purpose of Registration and running the Account on the Website – in this case, data processing is necessary to perform the contract to which the Customer is a party or to take measures at the Customer’s request, before the contract is concluded (Art. 6(1)(b) of the GDPR);
- for the marketing purposes of the Joint Controllers resulting from the consent given by the Customer for the provision of commercial information (newsletter), in this case, data processing is based on the Customer’s consent (Art. 6(1)(b) of the GDPR);
- in order to resolve the issue described by the Customer in the electronic form available on the Website and within the framework of chatting with the Account Manager– in this case, processing is necessary to conclude and perform the contract on providing services by electronic means (Art. 6(1)(b) of the GDPR) and is based on the legitimate interest (Art. 6(1)(f) of the GDPR) consisting in the sales support;
- in order to provide services by electronic means in terms of enabling the Customers to consult, reproduce and read information and materials available within the framework of the Website - in this case, data processing is necessary to conclude the contract to which the Customer is a party (Art. 6(1)(b) of the GDPR);
- in order to enable the Project to be carried out on the Website - in this case, data processing is necessary to conclude the contract to which the Customer is a party (Art. 6(1)(b) of the GDPR);
- in order to implement the Controller’s legitimate interest connected with running the Website, including analysing the use of the Website by the Customer, ensuring security and reliability of the services rendered within the framework of the Website (Art. 6 (1)(f) of the GDPR);
- in order to implement the Controller’s legitimate interests which may include identifying, pursuing and defending the claims, preventing criminal offences and conducting related investigations, managing the business activity and its further development, including risk management (Art. 6 (1)(f) of the GDPR);
- in order to measure the Customers’ satisfaction (e.g. through surveys sent to the Customers by e-mail by the Controller or their Partners providing services in this regard on the basis of the contract concluded with the Controller) – data processing is based on the Controller’s legitimate interest (Art. 6(1)(f) of the GDPR);
- for the purposes of direct marketing of the Controller, including the selection of goods and services adjusted to the Customers’ needs (including profiling) on the basis of cookie files and other similar technologies referred to in paragraph 10 – in this case, data processing is based on the Controller’s legitimate interest (Art. 6(1)(f) of the GDPR);
- in order to ensure compliance with the legal obligations imposed on the Joint Controller (including those resulting from the Act on accounting and tax regulations) when processing is necessary to comply with the legal obligation imposed on the Joint Controllers (Art. 6(1)(c) of the GDPR);
- Providing personal data on the Website is voluntary but it may be necessary to carry out one or more services and purposes of personal data processing, as stipulated in paragraph 3.1. above which the Controller shall not be able to carry out in case the personal data are not provided.
- The Customer’s personal data collected through direct contact of the Customer with persons acting on behalf of a given Joint Controller, including the contact through helpline or within the framework of contact with the Account Manager, are used only for the purpose of contacting the Customer and giving them information and advice.
5. TERM OF PROCESSING THE CUSTOMER’S PERSONAL DATA
- The Joint Controller processes the Customer’s personal data in the manner and for the period necessary to achieve the purposes for which the data are collected.
- In the case of data processing:
- in order to conclude and perform a contract (including the sales contract) – the Customer’s data shall be processed during the term and performance of the contract;
- on the basis of the Customer’s consent – the Customer’s data shall be processed until the consent is withdrawn;
- in order to ensure compliance with the legal obligations imposed on the Joint Controller – the Customer’s data shall be processed for the period required by the provisions of law;
- for the purposes of direct marketing of the Controller, including the selection of goods and services adjusted to the Customers’ needs (profiling) – the Customer’s data shall be processed until the Customer’s objection;
- in order to implement other reasonable interests of the Controller – data shall be processed until the objection made by the Controller is accepted or the period of limitation for claims expires, unless otherwise provided for in the detailed provisions hereof.
- After the processing period expires, the data are removed or anonymised.
6. CUSTOMER’S RIGHTS AND OBLIGATIONS
- If personal data processing is based on the consent expressed by the Customer, such a consent is voluntary and may be withdrawn at any time, without affecting the lawfulness of processing based on consent before its withdrawal. The statement on the consent withdrawal shall be made by e-mail at the e-mail address of each Joint Controller.
- The Customer is also entitled to:
- remove their personal data;
- limit the processing of their personal data;
- access to the content of their data and adjustment (correction);
- receive a copy of their data or their transfer, whereby this right may not have a negative impact on other persons’ rights and
- freedom (including any business secrets or intellectual property rights) and shall be exercised as far as technically possible;
- object to the processing of their personal data when processing is based on the legitimate interest of the Data Controller or any third party.
- The Joint Controller 1 shall exercise the Customer’s rights, subject to the exceptions laid down in the provisions of the GDPR;
- A registered Customer may also correct or update their personal data regarding the Account on their own. For that purpose, they shall log in to the Account, go to the “Account Settings” tab and make relevant amendments in the Personal Data box.
- In order to exercise the rights set out in paragraph 6.1 and 6.2, an e-mail shall be sent to the Personal Data Protection Supervisor appointed by the Joint Controllers, i.e. email@example.com, or to the address of the fixed contact point: Cyfrowa Foto sp. z o.o. 36-062 Zaczernie, Zaczernie 190, e-mail address firstname.lastname@example.org.
- The Customer is entitled to lodge a complaint to the supervisory authority: Information Commissioner’s Office (https://ico.org.uk/, https://www.ldi.nrw.de), if he thinks that data processing which relates to him violates the provisions of the GDPR.
7. ENTITIES WITH WHOM THE PERSONAL DATA ARE SHARED
- The Controller shares the Customers’ personal data if they have legal grounds for it, especially when it is necessary to carry out the services for the Customers.
- The Customers’ personal data may also be shared at the request of public authorities or other entities authorised to such as access on the basis of the provisions of law, particularly when it is necessary to ensure security of the Controller’s systems.
- The Recipients of the Customers’ personal data may include in particular:
- entities authorised to obtain the Customer’s data on the basis of the applicable provisions of law;
- entities whose services are used by the Controller to provide the Customers with goods and services, especially:
§ entities providing services or making the communication and information systems available for the Controller;
§ entrepreneurs providing services related to the delivery and maintenance of the software used to operate the Website;
§ payment system operators;
§ entities providing postal and courier services;
§ law firms and consulting firms which the Controller cooperates with.
- reliable marketing partners of the Controller:
§ Google LLC in connection with using Google Analytics;
§ Hubspot Inc. in connection with using Hubspot;
§ Facebook in connection with using Piksel.
§ GetResponse – in connection with using GetResponse
§ Smartsupp.com, s.r.o. - in connection with using Smartlook
8. TRANSFER OF PERSONAL DATA OUTSIDE THE EEA
- The Controller shall transfer the personal data outside the European Economic Area (EEA) only when it is necessary and while ensuring the appropriate protection level, mainly by means of:
- cooperating with the entities processing personal data in the countries with respect to which a relevant decision of the European Commission has been issued;
- applying the standard contractual clauses issued by the European Commission;
- applying the binding corporate rules, approved by the competent supervisory authority;
- in the case of transfer of data to the USA – cooperation with entities participating in the Privacy Shield programme approved by the Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield (the list of entities from the USA participating in this programme is available at: https://www.privacyshield.gov/list).
- If applicable, the Controller always informs about their intention of transferring personal data outside the EEA when they are collected. At the Customer’s request, the Controller shall make available to them a copy of their data which shall be transferred outside the EEA.
9. SOCIAL MEDIA
- In order to use the service of accessing the Account and related services, the Customer may register and log in via the account on the social networking service Facebook. Facebook may automatically transfer the following personal data of the Customer to the Controller:
- numerical identifier of the social networking service (ID)
- name and surname
- profile picture
- date of birth
- other public information.
- In the case referred to in paragraph 9.2, an extra registration is required to create the Account on the Website.
- The legal grounds for processing of the Customer’s personal data, in connection with their use of the optional Registration and logging in via Facebook shall be the Customer’s consent (Art. 6(1)(a) GDPR).
10. COOKIES AND OTHER SIMILAR TECHNOLOGIES
- According to the practice of the majority of websites, while using the Website, the Customer’s personal data may be automatically collected in system logs by cookie files (“cookies”), Google Analytics system, Hubspot system, GetResponse and Smartlook.
- Cookies are files stored on the Customer’s end device which are used to identify the Customers and provide statistical information on the Customer traffic, Customer activity and the way the Website is used. They allow for adjusting the content and services to the Customers’ preferences, among others.
- The Website uses session cookies which are removed after the web browser is closed, as well as persistent cookies stored for a specific time (specified in the parameters of cookies or until they are removed by the Customer) on the end devices used by the Customer.
- The Controller uses the following types of cookie files:
- necessary to use the services, e.g., used for services which require authentication;
- used to make logging in to the Account through social media easier;
- used to ensure security;
- allowing for collecting information on the method of using the services;
- allowing for saving the settings selected by the Customer and personalising the Customer’s interface;
- allowing for providing the Customers with the content more adjusted to their preferences and interests.
- The Customer may on their own and at any time change the settings concerning the cookie files by specifying the conditions of their storage and access to the cookie files to the Customer’s end device by means of the web browser settings.
- The Customer may at any time remove the cookie files while using the available functions of the web browser that they use. It may, however, result in the limitations of some functionalities available on the Website.
- As part of using Google Analitycs, the Joint Controllers also collect information on the users’ activity on the Website by means of tags. Tags are small fragments of the website code allowing, among others, for measuring the users’ traffic and behaviour, collecting information on the efficiency of online advertisements and social channels, using the remarketing and targeting the advertisements at the target group, as well as testing and improving the Website.
- Using the Website entails sending the queries to the server supporting the Website. Every query sent to the server is stored in the server logs. Logs cover e.g. IP address, date and time of the server, information on the web browser and operating system used by the Customer. Logs are saved and stored on the server. The data saved in the server logs are not associated with any specific persons using the Website and are not used for the purpose of identification. Server logs are solely an auxiliary material used to manage the Website and their content is not disclosed to anyone but to persons authorised to manage the Website.
- The Joint Controllers also use Hubspot, GetResponse and Smartapp systems for collecting and processing the Customers’ data, especially their activity on the Website on the basis of cookies, local storage and other technologies to personalise the content provided to the Customer and optimise the sales process.
11. PROCESSING THE THIRD PARTY PERSONAL DATA
- If the Customer makes any third party personal data available on the Website, they may do it provided that they do not violate the provisions of law in force and personal rights of these persons. Third parties are natural persons whose personal data are made available on the Website by the Customer or within the framework of the Project implementation.
- The Joint Controllers may process the third party personal data which the Customer entrusted him with if the Customer confirms that they are authorised to transfer the third party personal data.
- In the cases when the Customer makes third party data available on the Website or within the framework of the Project implementation, within the framework of the activity other than purely personal or domestic, the Customer acts as the Controller of these data within the meaning of the GDPR provisions.
- In the case referred to in paragraph 11.3 above, the Customer shall conclude with a given Controller a contract on entrustment of third party data processing according to the principles set out in paragraph 11.5 – 11.10 below.
- The third party data entrusted by the Customer shall be processed by the Joint Controllers for the purpose of proper performance of the contract on the provision of services by electronic means concluded with the Customer – in connection with the Customer’s use of the Website or Order fulfilment.
- The scope of entrusted data covers all third party personal data entrusted in connection with the Customer’s use of the Website or in connection with the order placed, particularly the name and surname, address, sex, image, date of birth or age.
- The Customer gives their consent for further entrustment with third party personal data (so called “sub-entrustment'') in order to perform a contract concluded with the Customer.
- The third party personal data entrusted by the Customer shall be processed in an appropriate manner by the Controller pursuant to Art. 28 of the GDPR.
- The third party personal data may also be processed by the Joint Controller to identify, pursue and defend against possible claims – the legal grounds for processing is the legitimate interest of the Joint Controllers (art. 6(1)(f) of the GDPR), consisting in the protection of their rights.
- If any of the Controllers states that the third party personal data is processed in breach of the provisions of the GDPR, provisions of law in force or personal rights of third parties, the Controller shall take measures to remove such data as soon as possible.
12. FINAL PROVISIONS
- The up-to-date version is available on the Website.