- The controller of personal data collected via the online Store www.dottore.pl is DOTTORE SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ SPÓŁKA KOMANDYTOWA entered in the register of entrepreneurs kept by the District Court Poznań – Nowe Miasto and Wilda in Poznań, 7th Commercial Division of the National Court Register under KRS No: 0000459514, TAX ID NO (NIP): 7811884930, STATISTICAL ID NO (REGON): 302419610, place of business and service address: ul. Margonińska 22, 60-425 Poznań, e-mail address (e-mail): email@example.com, telephone No: +48 61 67 92 520, hereinafter referred to as the “Controller” who is the “Service Provider” at the same time.
- The personal data collected by the Controller via a website shall be processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as the “GDPR”.
TYPE OF PERSONAL DATA PROCESSED, PURPOSE AND SCOPE OF DATA COLLECTION
- THE PURPOSE OF THE PROCESSING AND THE LEGAL BASIS. The Controller shall process personal data of Service Recipients of the Store www.dottore.pl whenever they:
- register the Account in the Store to create an individual account and manage it, pursuant to Article 6(1)(b) of the GDPR (execution of the contract for the provision of the service by electronic means in accordance with the Rules of the Store),
- place a purchase order in the Store to execute the contract of sale, pursuant to Article 6(1)(b) of the GDPR (execution of the contract of sale),
- subscribe for the Newsletter to receive commercial information by electronic means. The personal data shall be processed after a separate consent has been given pursuant to Article 6(1)(a) of the GDPR.
- THE TYPE OF PERSONAL DATA PROCESSED. The Service Recipient shall provide, in case of the:
- Account: full name, login, address, e-mail address.
- Purchase Order: full name, address, TAX ID NO (NIP), e-mail address, telephone number.
- Newsletter: full name, e-mail address.
- PERSONAL DATA ARCHIVING PERIOD. The personal data of Service Recipients shall be kept by the Controller:
- where the data is processed for the purpose of executing the contract, as long as it is necessary for the execution of the contract and thereafter for a period corresponding to the limitation period for claims. Unless specifically provided for in the special provision, the limitation period shall be six years, and for claims for periodic benefits and for business related claims – three years,
- where the data processing is based on the consent, as long as the consent is not cancelled and, after withdrawal, for a period corresponding to the limitation period of the claims that may be raised either by or against the Controller. Unless specifically provided for in the special provision, the limitation period shall be six years, and for claims for periodic benefits and for business related claims – three years.
- Additional information may be collected during your visit to the Store, in particular: IP address assigned to the Service Recipient's computer or an external IP address of the Internet provider, domain name, browser type, access time, operating system type.
- After a separate consent has been given, pursuant to Article 6(1)(a) of the GDPR, the data may also be processed for the purpose of transferring commercial information by electronic means or making phone calls for direct marketing purposes – in conjunction with Article 10(2) of the Act of 18 July 2002 on the provision of services by electronic means or Article 172(1) of the Act of 16 July 2004 – Telecommunications law respectively – including the data addressed as a result of profiling, provided that the Service Recipient has given a relevant consent.
- The navigation data may be also collected from the Service Recipients, including information about links and references they decide to click or other actions taken by them when visiting the Store. The legal basis for such activities is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR) which is to facilitate the use of services provided by electronic means and to improve the functionality of these services.
- The provision of personal data by the Service Recipient is voluntary.
- The Controller shall exercise particular care to protect the interests of the data subjects and shall in particular ensure that the data collected by the Controller is:
- processed in accordance with the law,
- collected for specified, legitimate purposes and not further processed in a way incompatible with those purposes,
- 8.3. relevant and adequate for the purposes in which they are processed and kept in a form which permits the identification of the data subjects, not longer than is necessary to achieve the purpose of the processing.
TRANSFER OF PERSONAL DATA
- The personal data of Service Recipients shall be transferred to service providers engaged by the Controller for the purpose of Store operation and in particular to:
- entities supplying the products,
- providers of payment systems,
- the accounting office,
- hosting services provider,
- providers of software that supports business operations,
- entities providing the mailing system,
- providers of software required to operate the online store.
- The service providers referred to in paragraph 1 of this clause to whom personal data is transferred, depending on the contractual arrangements and circumstances, shall either follow the Controller’s instructions as to the purposes and methods of processing such data (processors) or shall determine their own purposes and methods of processing (controllers).
RIGHT TO CONTROL, ACCESS THEIR OWN DATA AND CORRECT IT
- The data subject shall have the right to access their own personal data and the right to rectify, remove, restrict processing, the right to transfer data, the right to object, the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
- Legal basis for the Service Recipient’s request:
- Access to data – Article 15 of the GDPR.
- Rectification – Article 16 of the GDPR.
- Erasure (the so called right to be forgotten) – Article 17 of the GDPR.
- Restriction of processing – Article 18 of the GDPR.
- Data portability – Article 20 of the GDPR.
- Objection – Article 21 of the GDPR.
- Withdrawal of consent – Article 7(3) of the GDPR.
- For the purpose of exercising the rights referred to in paragraph 2, an appropriate e-mail shall be sent at: firstname.lastname@example.org
- If the Service Recipient requests to be able to exercise the right arising from the above provisions, the Controller shall either meet the request or refuse to comply with it without delay, but not later than within one month after receiving it. However, if, due to the complex nature of the request or the number of requests – the Controller is unable to meet the request within a month, the Controller shall do so within subsequent two months, after first informing the Service Recipient within one month of receiving the request of the intended extension of the time limit and its reasons.
- Where it is established that the processing of personal data violates the provisions of the GDPR, the data subject shall have the right to lodge a complaint with the President of the Office for Personal Data Protection.
- It is necessary to install the cookies for the purpose of correct provision of services on the Store website. The cookies include information necessary for the correct functioning of the website, and they also enable generation of general website visit statistics.
- The website uses two types of cookies: “session cookies” and “persistent cookies”.
- The “session cookies” are temporary files, which remain on the terminal device of the Service Recipient until they log out (leave the site).
- “Persistent cookies” are stored on the terminal device of the Service Recipient for the period specified in the parameters of the cookies or until they are deleted by the Service Recipient.
- The Controller uses its own cookies for better understanding how the Service Recipients interact with the content of the website. The files shall collect information on how the website is used by the Service Recipient, the type of the website from which the Service Recipient was redirected and the number of visits and the time of the Service Recipient's visit to the website. This information does not record any specific personal data of the Service Recipient but it is used to compile statistics on the use of the website.
- The Controller uses external cookies to collect general and anonymous static data via Google Analytics analytical tools (external cookie controller: Google Inc. with its registered office in the USA).
- The cookies may also be used by advertising networks, in particular the Google network, to display advertisements that match the manner in which the Service Recipient uses the Store. For this purpose, they may keep information on the navigation path of the Service Recipient or how long they stay on a given website.
- 7. The Service Recipient shall have the right to decide whether to allow the cookies to access their computer by selecting them first in the window of their browser. For detailed information about the possibility and how to handle cookies see the software settings (of the Internet browser).
- The Controller shall apply technical and organizational measures to ensure the protection of personal data processed, as appropriate to the risks and categories of the data protected, and in particular shall protect the data against unauthorized access, removal by unauthorized persons, processing in breach of applicable laws and alteration, loss, damage or destruction.
- The Controller shall make available appropriate technical measures to prevent unauthorized access and modification by unauthorized persons of personal data transmitted by electronic means.