- The Administrator processes Users' personal data in compliance with applicable law, including especially Regulation of the European Parliament and the Council 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as ‘GDPR’), the Act of May 10, 2018 on the protection of personal data (Journal of Laws of 2018, item 1000) and other relevant provisions on the protection of personal data. The Administrator undertakes to maintain the security and confidentiality of personal data obtained from Users, by implementing appropriate security, technical and organizational measures to meet the highest level of personal data protection, to ensure compliance with law and reliability of personal data processing processes, as well as to respect Data Subjects’ rights.
- The administrator of Users' personal data is E-Garderobe Sp. z o.o. with its seat in Warsaw, ul. Mokotowska 45/7, 00-551 Warsaw, entered into the National Court Register under KRS number: 0000723320, registry court: District Court for the Capital City of Warsaw in Warsaw, XII Commercial Division of the National Court Register, NIP: 5252743364, REGON: 369702035, share capital: PLN 5,000.00 (hereinafter referred to as the ‘Administrator’).
- Users may submit any inquiries, requests, and complaints regarding the processing of personal data to the Administrator:
- by e-mail: firstname.lastname@example.org
- by phone: +48 662 407 375
- by post: E-Garderobe Sp. z o.o. ul. Mokotowska 45/7, 00-551 Warsaw
TYPES OF COLLECTED DATA
- The Administrator collects personal data of Registered Users to the extent necessary to provide them with services offered on the Site, in addition, for analyzes and statistics purposes which improve the quality of services provided.
- The administrator collects and processes, among others, the following personal data of Users:
- name, surname, e-mail address, mobile phone number;
- home address, delivery address (city, postal code, street, building/flat number);
- company name, tax identification number (for Users who act as entrepreneurs);
- bank name and bank account number or payment card number (used for making payments);
- IP address;
PURPOSES AND LEGAL BASIS FOR DATA PROCESSING
The Administrator processes Users' personal data for the following purposes:
- conclusion and execution of the Garment Rental Agreement or for provision of electronic services available on the Site (e.g. Account maintenance service, replying to a message sent via the Contact Form). The legal basis for processing in this case is the necessity to process data to perform the contract concluded with the User (Article 6 (1) (b) of GDPR);
- fulfillment of the legal obligations incumbent on the Administrator resulting, for example, from tax and accounting regulations, the Act on consumer rights, the provisions of the Civil Code (e.g. implementation of the complaint process or withdrawal from the contract). The legal basis for processing in this case is the need for the Administrator to fulfill its legal obligations (Article 6 (1) (c) of GDPR);
- implementation of marketing activities of own services and products offered by the Administrator - the legal basis for data processing in this instance is the necessity to implement the Administrator's legitimate interest by promoting its services provided on the Site (Article 6 (1) (f) of GDPR);
- Newsletter service provided by the Administrator - upon the User's separate consent, the Administrator may process his personal data (e-mail address, mobile phone number) in order to send the User by electronic means commercial information regarding the services offered by the Administrator (Newsletter). The User, at any time, has the right to demand to discontinue receiving that commercial information by electronic means. In this case, the legal basis for processing is the consent given by the User to provide the Newsletter service (Article 6 (1) (GDPR));
- implementation of analytical and profiling activities - the Administrator may monitor the User's activity on the Site by creating statistics e.g.to match the offer to the needs and interests of Users, aiming at improving the services rendered. The legal basis for data processing is the necessity to implement the legitimate interest of the Administrator (Article 6 (1) (f) of the GDPR),
- possible establishment, enforcement or defense against claims - the legal basis for data processing is the necessity to implement the legitimate interest of the administrator consisting in the protection of its rights (Article 6 (1) (f) of GDPR);
Providing personal data by the User to the Administrator is fully voluntary, although it may turn out to be necessary for providing certain services to Users by the Administrator. Failure to provide personal data necessary to provide specific services will result in the Administrator's inability to provide these services to the User. Providing certain personal data by the User may be necessary to:
- Conclude and execute the Rental Agreement of the ordered Goods;
- create a User Account on the Site;
- provide the Newsletter service;
- issue a VAT invoice for the execution of Orders;
- handle the complaint procedure initiated by the User and the performance of the Administrator's obligations resulting therefrom;
- handle the User's withdrawal from the Agreement and performance of the Administrator's obligations resulting therefrom;
PERIOD OF DATA PROCESSING
- The User's personal data is processed by the Administrator only for the period necessary to carry out the purposes of processing related to the functioning of the Site.
- If the data processing is based on the execution of the agreement concluded with the User, the User's personal data is processed for the period necessary to perform the agreement, and after this time, for a period corresponding to the period of limitation of claims to which the Administrator or the User are entitled.
- If the processing of personal data is based on the consent given by the User, the personal data is processed till the consent is revoked, and after that time, for a period corresponding to the period of limitation of claims to which the Administrator or the User are entitled.
- If the processing of personal data is based on the legitimate interest of the Administrator, the data is processed until the User submits an effective objection to the processing.
- In some cases, the period of data storage is regulated by law, which states that the User's personal data shall be kept for the period required by these provisions of law.
- To ensure the proper functioning of the Site, especially for the implementation of Garment Rental Agreements concluded with Users, the Administrator cooperates with trusted external entities providing e.g.: computer software delivery services, courier services, payment services, or accounting services. The Administrator provides Users' personal data in a manner consistent with applicable law, especially in accordance with the provisions of GDPR, only when it is necessary to achieve a given purpose of personal data processing and only to the extent necessary to achieve a given purpose of processing.
- To ensure the proper functioning of the Site, the Administrator may pass Users' personal data to the following categories of recipients:
- entities providing courier or postal services - to the extent necessary to deliver the ordered Goods to the User;
- entities handling electronic payments or card payments - to the extent necessary to handle payments made by the User under the Garment Rental Agreement concluded with the Administrator;
- IT service providers necessary for the Administrator to operate the Site - especially, suppliers of computer software used to run the Site, e-mail service providers and hosting service providers,
- The Administrator may also provide Users' personal data at the request of authorized state authorities, within the limits of applicable law and according to the competences of these authorities.
- In principle, Users' personal data is processed for Site's functioning only in the European Economic Area (European Union countries and European Free Trade Association countries, except Switzerland), subject to the transfer of Users' data to entities described further herein based in the United States, which results from the fact that the Administrator use the services offered by Google LLC, Facebook Inc., Hubspot, Inc. Instagram LLC, and Pinterest Inc. all based in the USA.
- In accordance with the position of the European Union authorities, entities based in the territory of the United States may not provide an adequate level of personal data protection, as required by EU law. However, the application of the required level of protection can be confirmed per-entity in line with the requirements of the EU-US Privacy Shield ("PrivacyShield"). The accession of a given entity to the EU-US Privacy Shield program guarantees compliance with high standards in the field of personal data protection, corresponding to those in force in the European Union. Therefore, the use of services and technologies offered by the above-mentioned entities in the processing of personal data comply with the currently applicable provisions on the protection of personal data.
- If the Administrator intends to pass the Users' personal data to third countries exceeding the scope mentioned above, it can be done only for the purpose necessary to provide services within the Site and in compliance with the obligations required by law (Article 44 et seq. GDPR).
- Profiling is a form of automated processing of personal data, which consists in the use of personal data to evaluate certain personal factors of a natural person, especially to analyze or forecast aspects related to its personal preferences or interests.
- The Administrator may use profiling to prepare and present to the User an offer tailored to its individual preferences, or provide benefits, including discounts matching the User's needs, as well as to create analyzes and statistics aimed at improving the services available on the site.
- The site user has the right to refuse to be subject of automated processing solely, including profiling, and produces legal effects for the User or significantly impacts him, unless this is necessary to conclude or execute the agreement between the Site User and the Administrator, either is allowed by the law of the European Union or the law of the Member State to which the Administrator is subject to and which provides for appropriate measures to protect the rights, freedoms and legitimate interests of the User or when it is based on the User's express consent.
- The site may use the following types of cookies:
- temporary (sessional) - they remain on the User's device until logging out of the Site or closing the browser (therefore, they remain active until the end of the session);
- persistent - remain on the User's device also after the end of the Site session and are stored on the User's device for the time specified in the parameters of a given cookie or until they are manually deleted;
- The site uses the Service Provider's cookies (so-called ‘internal’) for the following purposes:
- providing services within the Site;
- configuration and proper functioning of the Site (optimization of the use of the Site, saving the settings selected by the User);
- authentication of the User on the Site and maintaining the User's session after logging in;
- creating analyzes and statistics on how the User uses the Site, which allows improving Site structure and content;
- The site uses third party cookies (so-called ‘external’) for the following purposes:
- presenting multimedia content on the site which is downloaded from an external site (e.g. YouTube.com, cookie administrator: Google LLC, based in the USA);
- presenting adverts of the Administrator's own services and products, tailored to the User's preferences with the use of online advertising tools (e.g. Google AdWords, cookie administrator: Google LLC, based in the USA)
- logging in to the Site by the User using social networking sites (e.g. Facebook.com, cookie administrator: Facebook Inc. based in the USA or Facebook Ireland based in Ireland; Google.com, cookie administrator: Google LLC, based in the USA);
- collecting general and anonymous static data via analytical tools (e.g. Google Analytics, cookie administrator: Google LLC based in the USA; Hubspot, cookie administrator: Hubspot Inc. based in the USA);
- use of interactive functions to popularize the Site using social networking sites (e.g. Instagram.com, cookie administrator: Instagram LLC, based in the USA; Facebook.com, cookie administrator: Facebook Inc. based in the USA or Facebook Ireland based in Ireland; Pinterest.com, cookie administrator: Pinterest Inc. based in the USA);
- presenting opinions on the Site which are downloaded from an external site (e.g. Ceneo.pl, cookie administrator: Opineo Sp. z o.o. based in Wrocław, Poland);
- An exemplary cookie management instruction is available at http://www.allaboutcookies.org/manage-cookies.
- As part of the operation of the Site Users' IP addresses may be collected. The IP address is a unique number assigned to the User’s end device (computer, tablet) by the Internet service provider. Collecting data on Users' IP addresses as part of the Site functioning is primarily used to diagnose technical problems with the server, ensure the security and correct functioning of the Site, create analyzes and statistics, and other activities aimed to improve the services provided on the Site.
USERS’ RIGHTS REGARDING DATA PROCESSING
- Users have the following rights related to the processing of personal data by the Administrator:
- The right to access their own personal data (Article 15 of GDPR) - the User has the right to request information on the purposes of processing, categories of personal data being processed, recipients or categories of recipients of such data, the planned period of storage of the data or the criteria for determining this period (if determination of the planned period of data processing is not possible), on the right to lodge a complaint with the supervisory authority, on the source of the data if it has not been collected from the data subject, on automated decision making, including profiling and the security measures used in connection with the transfer of such data outside The European Union. The User has the right to obtain a copy of his personal data - the first copy is issued free of charge, and any subsequent copy shall be charged a fee by the Administrator, corresponding to the cost of making a copy;
- The right to request amendment of their own data (Article 16 of the GDPR) - the data subject has the right to request the Administrator to amend the incorrect personal data, without undue dely. Considering the purposes of processing the data subject has the right to request to supplement incomplete personal data, by providing an additional statement.
- The right to request the deletion of all or some personal data (‘the right to be forgotten) (Article 17 of the GDPR), in the following cases:
- personal data is no longer needed for the purposes it has been collected or processed;
- if the User revokes its consent to personal data processing and there is no other basis for data processing. However, withdrawal of consent, does not affect the lawfulness of the processing carried out prior to this withdrawal;
- if the User has lodged an objection to the processing of the data and there are no overriding legitimate grounds for processing. If the data subject objects to processing for direct marketing purposes, the Administrator cannot further process the data in this respect;
- personal data is processed unlawfully;
- personal data must be removed in order to comply with the legal obligation stipulated by the European Union law or the law of the Member State to which the Administrator is subject;
- personal data has been collected in relation to offering of information society services and relates to a minor.
Despite the User’s submission of a request to delete personal data, due to the withdrawal of consent or objection, the Administrator can further process certain personal data to the extent necessary to exercise the right to freedom of expression and information, to fulfill the legal obligation on processing under EU law or the law of a Member State to which the Administrator is subject, as well as if personal data processing is necessary to establish, pursue or defend claims.
- The right to request restriction of data processing (Article 18 of the GDPR) - the data subject has the right to request the Administrator to limit processing in the following cases:
- If the user questions the correctness of personal data - for a period allowing the Administrator to verify the correctness of such data;
- the processing is against the law and the data subject objects to the deletion of personal data and requests the restriction of their use instead;
- The Administrator no longer needs the User's personal data for processing purposes, but it is necessary for the User to establish, pursue or defend claims;
- The Data Subject has lodged an objection pursuant to Art. 21 sec. 1 GDPR against processing - until it is determined whether the legitimate grounds on the part of the Administrator override the grounds for objection of the data subject.
If in the above-mentioned in cases, the processing of data has been limited, such personal data may be processed, except for storage, only upon consent of the data subject, or for the establishment, pursue or defense of legal claims, to protect the rights of another natural or legal person, or due to important reasons of public interest of the EU or of a Member State.
- The right to transfer data (Article 20 of the GDPR) - the data subject, whose data is processed either based on its consent or the agreement concluded with the Administrator, or is processed in an automated manner, has the right to receive this data in a format that allows computer reading of this data and the right to send it in such a format to another personal data administrator;
- The right to lodge a complaint with the supervisory body - the President of the Personal Data Protection Office - if the User deems that personal data is processed in violation of GDPR and other generally applicable provisions of law on the protection of personal data;
- The right to object (Article 21 of GDPR) - the User has the right to lodge an objection at any time – due to its situation - to the processing of its personal data, including profiling, if the Administrator processes the data based on its legally justified interest or in relation to Administrator's performance of tasks in the public interest. The administrator ceases the data processing due to the objection, unless he demonstrates the existence of valid, legally justified grounds for processing, overriding the interests, rights and freedoms of the data subject, or the grounds for establishing, pursuing, or defending claims. In particular, the User has the right to object to the processing of its data for direct marketing purposes, including profiling. If the data subject objects to processing for direct marketing purposes, the Administrator shall no longer process the User's data for such purposes.
- To all matters not settled herein, the relevant provisions of generally applicable law shall apply. If any of the provisions contained herein are deemed invalid, ineffective, or unenforceable to any extent, this shall not affect the validity of the remaining provisions.