- Personal data controller
- The personal data controller within the meaning of Article 4 paragraph 7 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) is Matterhorn Moda Sp. z o.o. at 51 Katowicka Street, 41-400 Mysłowice, tax number: PL8961552779.
- Contact details of the data controller:
- phone number: +48 503 503 875
- e-mail address: email@example.com
- The data controller pursuant to Article 32 paragraph 1 of the General Data Protection Regulation, observes the principle of personal data protection and applies appropriate technical and organisational measures to prevent accidental or unlawful destruction, loss, modification, unauthorised disclosure or unauthorised access to personal data processed in the course of its activities.
- The provision of personal data is voluntary, but necessary in order to establish cooperation and/or conclude an agreement with the data controller.
- The data controller processes personal data in the form of identification data (name and surname and company name), address data, tax identification number and other registration numbers, contact data (e-mail address, phone number) and identification data of persons indicated for contact.
- Purpose and grounds for processing personal data
The data controller processes personal data for the following purposes:
- preparation of a commercial offer in response to a customer’s interest, which is a legitimate interest of the data controller (Article 6 paragraph 1 point f of the GDPR);
- provision of services by electronic means through the Web Portal, on the basis of a concluded contract (Article 6 paragraph 1 point b of the GDPR);
- handling the complaint process, on the basis of the obligation imposed on the data controller in relation to the applicable legal regulations (Article 6 paragraph 1 point c of the GDPR);
- accounting – related to the issuance and acceptance of accounting documents, on the basis of tax law regulations, including the Accounting Act of 29 September 1994 and the Value Added Tax Act of 11 March 2004 (Article 6 paragraph 1 point c of the GDPR);
- the archiving of data for the possible establishment, investigation or defence of claims or the need to prove facts, which is a legitimate interest of the data controller (Article 6 paragraph 1 point f of GDPR);
- to contact by phone or e-mail, in particular in response to enquiries addressed to the data controller, which is a legitimate interest of the data controller (Article 6 paragraph 1 point f of GDPR);
- to send technical information concerning the functioning of the Portal and the services used by the customer, which is a legitimate interest of the data controller (Article 6 paragraph 1 point f of the GDPR);
- marketing the data controller’s own products, which is in the controller’s legitimate interest (Article 6 paragraph 1 point f of the GDPR) or on the basis of prior consent (Article 6 paragraph 1 point a of the GDPR).
III. Recipients of data. Transfer of data to third parties
- The recipients of personal data processed by the data controller may be the entities cooperating with the data controller when it is necessary to perform the contract concluded with the data subject.
- The recipients of personal data processed by the data controller may also be subcontractors – entities whose services are used by the data controller in the processing of data, such as accounting offices, law firms, entities providing IT services (including hosting services).
- The data controller may be required to provide personal data on the basis of applicable laws, in particular, to provide access to personal data to authorized bodies or institutions.
- Personal data may be transferred to an entity based outside the European Economic Area, i.e., to Google LLC as a provider of Google Analytics and Google AdWords based on the appropriate legal securities, which are standard contractual clauses of personal data protection approved by the European Commission.
- Period of personal data storage
- The data controller shall store personal data for the duration of the contract concluded with the data subject and after its termination for the purposes of pursuing claims related to the contract, fulfilling the obligations arising from the applicable laws, but not longer than the period of limitation according to the provisions of the Civil Code.
- The data controller shall keep the personal data contained in the billing documents (e.g. invoices) for the period of time indicated by the provisions of the Act on Goods and Services Tax and the Accounting Act.
- The data controller shall keep the personal data processed for marketing purposes for a period of 10 years, however, not longer than until the withdrawal of consent to the processing of the data or until the objection to the processing is raised.
- The data controller shall store personal data for purposes other than those indicated in paragraphs 1 to 3 for a period of 3 years, unless consent to the processing of the data has been previously withdrawn and the processing of the data may not be continued on any other basis than the consent of the data subject.
- Rights of the data subject
- Every data subject has the right:
- to have access – to obtain confirmation from the data controller as to whether their personal data are being processed. If a person’s data are processed, he or she is entitled to obtain access to them and obtain the following information: the purposes of the processing, categories of personal data, information on the recipients or categories of recipients to whom the data have been or will be disclosed, the period of storage of the data or the criteria for determining them, the right to request the rectification, erasure or restriction of the processing of personal data to which the data subject is entitled and to object to such processing (Article 15 of the GDPR);
- to obtain a copy of the data – to obtain a copy of the data to be processed, the first copy is free of charge, and for subsequent copies the data controller may charge a reasonable fee resulting from the administrative costs (Article 15 paragraph 3 of the GDPR);
- to rectify – to request the rectification of personal data that are inaccurate or to supplement incomplete data (Article 16 of the GDPR);
- to erasure – to request the erasure of his/her personal data if the data controller no longer has a legal basis for their processing or the data are no longer necessary for the purposes of processing (Article 17 of the GDPR);
- to restrict processing – to request a restriction of processing of personal data (Article 18 of the GDPR) when:
– the data subject questions the accuracy of the personal data – for a period of time allowing the data controller to check the accuracy of the data,
– processing is unlawful and the data subject opposes their deletion by demanding a restriction on their use,
– the data controller no longer needs these data, but they are needed by the data subject to establish, pursue or defend claims,
– the data subject has lodged an objection to the processing, until it has been established whether the legitimate grounds of the data controller take precedence over those of the data subject;
- for the transfer of data – to receive in a structured, commonly used machine-readable format personal data concerning him/her which he/she has provided to the data controller, and to request that the data be sent to another data controller, if the data are processed on the basis of the data subject’s consent or a contract concluded with him/her and if the data are processed by automated means (Article 20 of the GDPR);
- to object – to object to the processing of their personal data for the legitimate purposes of the data controller, on grounds relating to their particular situation, including profiling. In such a case, the data controller shall assess the existence of important legitimate grounds for processing overriding the interests, rights and freedoms of data subjects or grounds for establishing, pursuing or defending claims. If, according to the assessment, the interests of the data subject take precedence over the interests of the data controller, the data controller shall be obliged to cease the processing of data for these purposes (Article 21 of the GDPR).
- In order to exercise the aforementioned rights, the data subject shall contact the data controller using the contact details provided and inform him/her which right he/she wishes to exercise and to what extent.
- The data subject has the right to lodge a complaint with the supervisory authority which is the President of the Office for Personal Data Protection in Warsaw.
- Personal data obtained by the data controller may be processed automatically – including in the form of profiling. Personal data profiling performed by the data controller consists in the assessment of selected information about the data subject for the purpose of analysis and forecasting of personal preferences and interests, in particular for the possibility of providing the data subject with a personalised offer.
- Automatic processing of data by the data controller shall not produce any legal effects for the data subject. The data subject may at any time object to the automated processing of his or her data.
VIII. Google Analytics
- The data controller uses Google Analytics, a mechanism for analysing Internet services offered by Google LLC. Google Analytics also uses so-called “Cookies”, text files which are saved on the User’s computer and enable analysis of his or her use of the website. The information generated by the cookie about the User’s use of the website is usually transferred to a Google server in the USA and saved there.
- The data controller uses Google Analytics to analyse the use of the Portal and to improve it regularly. Thanks to the statistics obtained, it can improve the offer and make it more interesting for the User. With regard to the exceptional cases in which personal data is transferred to the USA, Google is subject to the EU-US Privacy Shield Agreement. The legal basis for the Administrator’s use of Google Analytics is Article 6 paragraph 1 letter f of the GDPR.