In accordance with the requirements of REGULATION (EU) No 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as the ‘Regulation’, we inform you that:
(1) Personal data controller
The controller of the personal data, hereinafter referred to as the ‘Controller’, is the company:
BAKATA DESIGN SP.J., National Court Register (KRS) number: 0000295627, REGON number: 020676851, Tax Identification Number (NIP): 8942928953
with its registered office in Wrocław, 53-324, ul. gen. Józefa Hallera 78 lok. 5
The Controller is responsible for the use of personal information in a secure manner, compatible with the purposes for which it was collected and in accordance with the applicable legal provisions.
Contact with the Controller
Contact details of the Controller:
e-mail: gdpr@bakata.pl
address for correspondence: 53-324 Wrocław, ul. gen. Józefa Hallera 78 lok. 5
(2) General provisions
We use the personal data only for specific, legitimate purposes for which the data were collected. The scope of personal data, the purpose of their processing, the legal basis for such processing, the processing period, and the categories of recipients of the data result from legal requirements to which the controller is subject, and from the nature and the scope of the activities undertaken by the data subject.
(3) The purpose of the processing of data by the Controller, the legal basis for the processing, and the period during which the personal data shall be stored:
(a) The purpose of the processing: To take action at the request of the data subject prior to the conclusion of the agreement (e.g. preparation of the offer).
Legal basis for the processing: Article 6(1)(b) of the Regulation (‘performance of the agreement’)
Storage period: The data shall be stored for the period necessary for the performance, termination or expiration of the agreement, and for the period after which any potential claims are time-barred.
(b) The purpose of the processing: To conclude and perform an agreement (including ensuring adequate quality of services)
Legal basis for the processing: Article 6(1)(b) of the Regulation (‘performance of the agreement’)
Storage period: The data shall be stored for the period necessary for the performance, termination or expiration of the agreement and the settlements, and for the period after which any potential claims are time-barred.
(c) The purpose of the processing: To carry out direct marketing (targeting communications to carefully selected individual customers, on a one-to-one basis, in order to generate a direct reaction (response))
Legal basis for the processing: Article 6(1)(f) of the Regulation (‘legitimate interests of the Controller’)
Storage period: The data shall be stored for the period of existence of any legitimate interest of the Controller and for the period after which any potential claims are time-barred. If the data subject expresses an effective objection to the use of his or her personal data, the Controller shall no longer process the data for direct marketing purposes.
(d) The purpose of the processing: To carry out marketing
Legal basis for the processing: Article 6(1)(a) of the Regulation (‘consent of the data subject’)
Storage period: The data shall be stored until the data subject withdraws his or her consent to further processing of his or her data for marketing purposes.
(e) The purpose of the processing: To issue, collect and store invoices and accounting documents, and to keep accounting records
Legal basis for the processing: Article 6(1)(c) of the Regulation (‘compliance with a legal obligation’), in relation to Article 74(2) of the Accounting Act and in relation to Article 86(1) of the Tax Ordinance Act.
Storage period: The data shall be stored during the period in which the provisions require keeping records and accounting evidence (i.e. for 5 years counting from the beginning of the year following the financial year to which the data refers) and for the period after which any potential tax liabilities are time-barred.
(f) The purpose of the processing: To respond to complaints within the time limit and in the form provided by the provisions
Legal basis for the processing: Article 6(1)(c) of the Regulation (‘compliance with a legal obligation’)
Storage period: The data shall be stored for a period of one year from the expiry of the warranty or from the settlement of the complaint, and thereafter for the period after which any potential claims are time-barred.
(g) The purpose of the processing: To allow the Customer to express his or her opinion
Legal basis for the processing: Article 6(1)(a) of the Regulation (‘consent of the data subject’)
Storage period: The data shall be stored until the data subject withdraws his or her consent to further processing of his or her data for this purpose.
(h) The purpose of the processing: To detect and prevent fraud
Legal basis for the processing: Article 6(1)(c) of the Regulation (‘compliance with a legal obligation’)
Storage period: The data shall be stored for the duration of the agreement, and thereafter for the period after which the claims arising from the agreement are time-barred. In the event of pursuing any claims by the Controller or notifying the competent authorities – for the duration of such proceedings and ‘for 5 years from the beginning of the year following the financial year in which the operations, transactions and proceedings were finally completed, repaid, settled or time-barred’
(i) The purpose of the processing: To establish, defend and pursue claims raised by or against the Controller (including selling the receivables to another entity)
Legal basis for the processing: Article 6(1)(f) of the Regulation (‘legitimate interest of the Controller’) in relation to Article 74(2) of the Accounting Act.
Storage period: The data shall be stored for the period:
– after which the claims arising from the agreement are time-barred;
– in the event of pursuing any claims by the Controller in civil proceedings or claims involved in criminal or tax proceedings, the accounting evidence (which may contain personal data) must be stored ‘for 5 years from the beginning of the year following the financial year in which the operations, transactions and proceedings were finally completed, repaid, settled or time-barred;’
– during which the Controller may face legal consequences for non-fulfillment of an obligation, e.g. be imposed an administrative penalty.
(4) Recipients of the data
In order to perform the agreement and to ensure the proper functioning of the Controller’s websites, the Controller uses the services of cooperating external entities (e.g. post, couriers, payment processors). Personal data are transmitted to external entities only if and to the extent that is necessary for the purpose of the processing. The transmitted personal data may be used by the external entities only to carry out the task assigned by the Controller.
Personal data may be transmitted to the following, cooperating with the Controller recipients:
entities providing postal, courier and similar services (e.g. courier brokers) – to the extent necessary to carry out the delivery and correspondence;
selected entities acting on behalf of the Controller in handling accounting, tax, consulting, legal and debt recovery matters (including entities purchasing receivables) – to the extent that is necessary for the specific purpose of the processing;
entities providing technical assistance services to the Controller, and providers of IT solutions that are required by the Controller to run its business (e.g. software providers, e-mail and hosting providers) – the Controller shall make personal data available to a trusted provider acting on its behalf only in the event and to the extent that is necessary for the specific purpose of the processing.
(5) Transfer of data outside the European Economic Area
Our website is equipped with plugins for the social network facebook.com, whose controller is Facebook Inc., 1601 Willow Road Menlo Park, California 94025 (‘Facebook’). When accessing a website equipped with such a plug-in, the user causes his or her browser to connect directly to the Facebook server. The plug-in sends information to the Facebook server regarding the page that was visited. If the user is logged in to Facebook while browsing our website, and he or she clicks the ‘Like’ button (‘Like this page’) or leaves a comment, Facebook would save this information to the user’s Facebook account. In order to avoid Facebook recording your visit to our website, you should log out of Facebook before visiting our website.
Personal data may also be transferred outside the European Economic Area (which includes the European Union, Iceland, Liechtenstein and Norway) based on appropriate legal safeguards, which are standard contractual clauses for the protection of personal data approved by the European Commission. Personal data may also be transferred to, for example, Google LLC. This entity ensures that the personal data transferred to the United States of America are secure, as they are protected under the EU-U.S. Privacy Shield Framework. See also item 9 Web analysis.
(6) The rights of the individuals whose data are processed by the Controller
The processing of personal data does not require consent if, among others, the processing is necessary for the performance of an agreement or performance of activities prior to concluding an agreement, if it results from legal requirements to which the controller is subject or if it is necessary for the performance of a legitimate interest of the Controller. If the consent is necessary to process the personal data for a specific purpose, the Controller asks for such consent. A granted consent may be withdrawn at any time.
In the event of the withdrawal of consent, the data shall no longer be processed to the extent of the consent, but the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Under the terms and conditions contained in the Regulation, the data subject also has the right to request access to data concerning him or her from the Controller, the right to rectify, erase (‘forget’) or restrict their processing, object to the processing, as well as the right to data portability.
If personal data are processed for direct marketing purposes, at any time the individual may object to the processing of such data for marketing purposes, including profiling, to the extent that the processing is related to direct marketing.
In order to exercise the aforementioned rights, the individual is to submit a request to the Controller by e-mail, post or in person at the seat of the Controller. The Controller contact details are provided in the introduction. In order to make sure that an individual submitting a request is authorized to do so, the Controller may ask for additional information confirming the identity of the submitter.
The provisions of the Regulation set out to what extent each of these rights may be exercised. It shall depend, in particular, on the legal basis and the purpose of the processing of personal data by the Controller. The aforementioned rights may be exercised free of charge not more than every 6 months. In accordance with Article 12 of the Regulation, if the requests of the data subject are manifestly unfounded or excessive, in particular due to their continuing character, the Controller may charge a fee.
The data subject has the right to lodge a complaint to the supervisory authority, i.e. the President of the Office for Personal Data Protection.
(7) Obligation or absence of an obligation to provide personal data
The use of the Controller’s services and the provision of personal data to the Controller is voluntary. However, the data subject is obliged to provide them in relation to:
concluding an agreement with the Controller – in this case, providing personal data is a contractual condition, and the data subject is obliged to provide the required data if he or she wishes to conclude an agreement with the Controller. Each time the scope of data required to conclude an agreement is communicated to the data subject. The consequence of failing to provide the data is the impossibility to conclude an agreement.
Fulfilling the obligations imposed on the Controller by the law – in this case, providing personal data is a statutory condition resulting from the provisions imposing on the Controller the obligation to process personal data (e.g. in relation to the obligation to issue, collect and store invoices and accounting documents, and to keep accounting books). Failure to provide such data will prevent the Controller from fulfilling the aforementioned duties, which will result in the impossibility to conclude a contract.
(8) Use of data for advertising purposes
8.1 Newsletter
The newsletter is sent only to those Users who have granted their consent and provided their e-mail address. At any time, the consent to receive the newsletter may be withdrawn by contacting the Controller at the address provided above.
8.2 Banner advertising
Banner ads are advertising that, when clicked on, take the User to another page. Banner ads show him or her, for example, the products that he or she has viewed, or similar products. We may also show the User our partners ads.
Banner advertising uses cookies or pixels. Direct User Information is not saved. Only pseudonymized data is used. Additional information about cookies, pixels and retargeting/remarketing is provided below.
8.3 Cookies
The Controller’s websites use cookies, which are text files stored on the User’s device. These files allow the analysis of the way the website is used and identifying the User’s web browser. By introducing appropriate browser settings, the installation of cookies can be blocked – this may limit the functionality of the website.
More information:
Chrome,
Firefox,
Safari,
Opera,
Edge,
Internet Explorer.
The Controller may process the data contained in the cookies to anonymously analyze the visitors’ actions, study their behavior (e.g. opening specific pages) in order to provide them with advertisement tailored to their expected interests, also when they visit other websites that are partners in the advertising network of Google Inc. and Facebook Ireland Ltd., and in order to improve the administration of the Controller’s websites.
8.4 Onsite Targeting
The Controller uses cookie technology to analyze the visitors’ actions (e.g. opening specific subpages) and may show advertisements and/or special offers to the User. The purpose of these actions is to present the User with content that is the most relevant to the User’s area of search.
8.5 Retargeting, third party cookies and third party data collection for banner advertising purposes
The Controller’s websites use retargeting (remarketing) technology
The Controller uses the services of third parties that use cookies on the Controller’s website, these are:
Google Analytics, Universal Analytics and Google Remarketing provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). Detailed information regarding these services is available at:
https://policies.google.com/technologies/partner-sites?hl=pl see also https://policies.google.com/privacy/update?hl=pl&gl=pl
and the services of
Facebook Pixel provided by Facebook Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland). Detailed information is available at: https://www.facebook.com/about/privacy
The user may disable cookies by changing the settings of his or her web browser.
8.6 How can I block cookies from being saved?
In order to block cookies from being saved, the User is to enable settings in his or her web browser that allow saving cookies only if he or she agrees to it. (see 8.3)
In order to accept the Controller’s cookies and at the same time block the third party cookies, the User shall select the ‘Block third party cookies’ option in the browser settings.
8.7 Contests, market research and opinion poll
Each contest or promotional campaign has its own Regulations. In order to participate, the User is asked to provide personal data listed in the given Regulations, and to agree to the use of telecommunication devices (phone number, e-mail address) by the organizer of the contest, market research or opinion poll in order to carry out direct marketing by the Controller. The personal data provided shall be processed to run the contest and notify the winner, and for the market research or opinion poll purposes.
The answers provided during the market research or opinion poll shall not be shared with third parties, or published.
(9) Web analysis
The Controller uses the Google Analytics web analysis services provided by Google. Google Analytics analyzes user behavior on the website through the use of cookies. The information generated by cookies regarding the website use (including the User’s IP address) is transmitted to and stored by Google on servers in the United States.
Google shall use this information in order to analyze the website use by the User, create reports for websites using Google Analytics, and provide other services. Google may also share this information with third parties where required to do so by law, or where such third parties process the information on Google’s behalf.
By using this website, the User grants consent to the processing of data concerning him or her by Google in the manner and for the purposes identified above.
The website is analyzed by Google Analytics with the extension ‘_anonymizeIp()’, and therefore IP addresses are only processed in an abbreviated form, which prevents direct association of an address with a User.
The User may refuse to use cookies by introducing appropriate browser settings. This may limit the functionality of the website, and it may not be possible to use all of its functions.
The consent for collection and gathering of personal data may be withdrawn at any time with effect for the future.
In order to prevent the transfer of data generated by cookies related to use of the website by the User (including the User’s IP address) to Google, and prevent the processing of this data by Google, simply download and install in your browser blocking plugins available at the following address: https://tools.google.com/dlpage/gaoptout?hl=en
(10) Server log files
The Internet browser provides data about the user activity on the Controller’s websites, which are saved in server log files. The data records saved in this way contain the following data: date and time of the download, name of the page accessed, amount of data downloaded, as well as information about the product version of the Internet browser used, IP address, URL of the traffic source website (address of the site from which the user was redirected).
The server log file data records are analyzed for troubleshooting, server performance management, protection against DDoS attacks and customization of the offer.
(11) Automated decision-making and profiling
Personal data will not be used for automated decision-making producing legal effects on the data subject, including profiling.
(12) Final provisions
The Controller’s websites may contain links (references) to other websites. Such websites operate independently of the Controller and are not supervised by the Controller in any way. When visiting other websites, the Controller recommends getting familiarized with their own privacy policies. The Controller shall not be held responsible for the data handling rules on those websites.