Personal data protection
Dawid Wójtowicz, ul. Powstańców 9A, 44-193 Knurów, NIP: 9691381882, REGON: 240545908 registered in the Register of Entrepreneurs of the National Court Register kept by is the Controller of the collected personal data.
Contact details of the Information Security Administrator in the Company (currently the Data Protection Officer).
Mailing address: bb-shop.pl, ul. Powstańców 9A, 44-193 Knurów (e-mail: email@example.com)
Legal basis for personal data processing
|Legal basis for processing [GDPR]||Purpose of processing||Description of the legal basis for processing|
|Performance of the purchase contract [Art. 6(1)(b) GDPR]||Customers’ personal data may be processed by the Controller for the purpose of performing the services provided by the Controller, ordered by the Customer in accordance with the Terms of Purchase, such as creating an individual Account and ordering products via the Online Platform.
For the aforementioned purpose, the Controller may send communications to the e-mail address and phone number of the Customer, including information about the next stages of the order on the Online Platform, reminders, etc.
|Data processing for the purpose of performing the services provided by the Controller in accordance with the Terms of Purchase is within the law because it is necessary in order to perform a contract with the Customer, e.g. an online Sale.
As part of the functionality of an individual Account, the Customer may have access to such information as the purchase history, the complaints history and the withdrawal from the contract.
|Legal obligations of the Controller [Art. 6(1)(c) GDPR]||Customers’ personal data may be processed by the Controller in order to respond to complaints regarding the Website, Online Platform and products.||Data processing is within the law because it is necessary for the purposes arising from the applicable legal provisions (e.g. the Consumer Rights Act of the Polish Civil Code).|
|The Controller’s legitimate interest [Art. 6(1)(f) GDPR]||Customers’ personal data may be processed by the Controller also for the purpose of marketing the Controller’s products and services of.
Customers’ personal data may be processed also in order to respond to inquiries, complaints and queries regarding the Website, Online Platform and products.
|Data processing is within the law because it is necessary for the purposes arising from the legitimate interests pursued by the Controller.
The Controller’s legitimate interest consists in processing Customer data for the purpose of marketing the Controller’s products and services.
The Controller’s legitimate interest also consists in the need to respond to Customer inquiries and complaints as well as withdrawals from the contract.
|Your consent [Art. 6(1)(a) GDPR]||The Customer (e.g. via the Website when registering for an individual Account) may consent to:
||Consent is not a prerequisite for using the Controller’s Services.
Consent may be withdrawn at any time – via email and by post.
Withdrawing consent does not affect data processing (or the lawfulness of processing), which will retain its form (e.g. sending of commercial information and phone marketing which took place before the withdrawal).
Retention period of personal data
|Legal basis for personal data processing||Period of personal data processing|
|performance of contract||Customers’ personal data will be stored for as long as it is necessary to be able to use an individual Account, perform services and respond to an inquiry or complaint and no longer than:
until the account is deleted or
until the complaint is reviewed, or
until the limitation period for claims has expired.
|the Controller’s legal obligations||In some situations, the Controller is obliged by law to store personal data for a longer period. In such a case, the Customer’s personal data will be stored for the period required, in accordance with the law.|
|the Customer’s Consent||Personal data will be processed until the Customer has withdrawn their voluntary consent to data processing.|
|the Controller’s legitimate interest||Personal data will be processed until the Customer has successfully objected to the processing of data.|
Information on personal data processed
1. What kind of data are processed?
The Controller collects and processes the personal data of Website Customers who order products or services.
2. The Controller may collect and process personal data when (among other occasions) the Customer:
- visits the website;
- registers for an individual Account on the Online Platform;
- joins the loyalty programme;
- places an order on the Online Platform;
- subscribes to the newsletter;
- makes a complaint, withdraws from the contract or sends inquiries about products and services provided by the Controller.
3. Personal data collected and processed by the Controller include, among others:
- contact details – name, surname, email address, mobile phone number;
- verification data – information such as gender and age;
- data collected as cookies.
4. Is providing personal data necessary?
The provision of personal data by the Customer is fully voluntary, however, failure to provide the data necessary e.g. to set up an individual Account on the Online Platform, perform the service or respond to inquiries and complaints, and withdraw from the contract may accordingly prevent the Controller from taking action and hinder the provision of the appropriate functionality, services or information that the Customer expects.
The data provided by the Customer may be made available to third parties on the basis of personal data processing agreements concluded by the Controller. The recipients of the data will also be institutions authorised by law.
5. The right to access
The Customer has the right to access their personal data. They may contact the Controller in order to:
- confirm whether the Customer’s personal data are being processed;
- inquire about the purposes of processing the Customer’s personal data;
- inquire about the category of Customer data;
- request information about the recipients of the Customer’s personal data;
- request information about the planned retention period of the Customer’s personal data (or criteria for determining it);
- request information about the rights of the Customer regarding personal data being processed;
- request information about the sources of the Customer’s personal data if the data have not been collected from the Customer;
- request information on automated decision-making concerning the Customer based on the processing of collected personal data, including profiling.
The customer has the right to ask the Controller for a copy of the personal data being processed. Further copies may be subject to charge.
Rights in connection with the processing of your personal data
1. In connection with the processing of your personal data, you have the following rights:
|Customer’s rights||Description of Customer’s rights|
|the right to correct data||The Customer has the right to request the correction of personal data if they are incorrect or incomplete. If the data are incomplete, the Customer has the right to request their completion by submitting the appropriate statement to the Controller.|
|the right to restrict processing||The Customer has the right to “block” the processing of their personal data in certain situations, e.g. if:
“Blocking” the processing of personal data consists in the fact that the Controller will still be able to store the Customer’s personal data, but will not be able to process (use) it in any other way (except in particular situations, e.g. when it is required for reasons of important public interest).
|the right to data portability||The Customer has the right to request that the Controller provide them with the personal data in a structured, commonly used, machine-readable format. The Customer also has the right to transmit the data to another data controller or request that the Controller transmit the data to another data controller if technically possible.
The right to personal data portability applies only if the Customer’s personal data are processed:
|the right to erasure of data (the so-called right to be forgotten)||The Customer has the right to request the erasure of their data in some cases, e.g. when:
The right to request the erasure of personal data may be limited in some cases, e.g. when their processing is necessary to comply with the Controller’s legal obligations (e.g. in accordance with obligations related to the keeping of accounting records).
|the right to withdraw consent||The Customer has the right to withdraw consent at any time, e.g. in the Account settings section or by clicking the link attached to a marketing email they receive. In order to withdraw consent, the Customer can also contact the Controller using the following contact details: insert email.
Note! Withdrawal of consent may result in the Controller not being able to provide the Customer with services which were based on consent.
Withdrawal of consent does not affect the lawfulness of the processing that was carried out on its basis before the withdrawal.
|the right to object||The Customer has the right to object to the processing of personal data if the processing is based on the legitimate interest of the Controller.
The objection can be raised for reasons related to the Customer’s particular situation. If the Customer objects to:
The right to object concerns only the processing of personal data on the basis of the Controller’s legitimate interest and it does not apply to the processing of the Customer’s personal data on the basis of the performance of a contract, consent or other legal grounds.
|the right to lodge a complaint||The customer has the right to lodge a complaint with the supervisory authority – the President of the Office for Personal Data Protection.
Contact details for complaints can be found at: https://uodo.gov.pl/pl/p/kontakt
The use of professional tools
a) Google Analytics and cookies
The user has the possibility to block cookies by changing the web browser settings, however, this can hinder the functioning of some features of the Website. The user can also prevent Google from collecting and processing data generated by cookies by downloading and installing the plugin available on the website:
b) Google Ads
The Website also uses the free conversion tracking function, which is available in Google Ads. In this respect, Google is committed to protecting customer and user data. Every time a user clicks an ad, Google places a cookie on their computer that expires after 50 months. This technology makes it possible to carry out activities related to remarketing used to display Website ads to users who have previously visited the Website while they are browsing other sites on the internet.
If the user does not agree to this service, they may refuse to save cookies by changing the browser settings to disable the automatic cookie handling option. It is also possible to disable cookies used by Google to track conversions by changing the appropriate browser settings to block cookies from Google. For more information on tailored advertising and the possibility to opt out of sharing information from your web browser for behavioural advertising, please visit http://youronlinechoices.eu/
c) Facebook Pixel
d) Google Custom Search Engine
Google Custom Search Engine (CSE) is used on the Website. Information on the protection of user data by Google is available at:
e) Google Double Click
The Website may use DART cookies for the purpose of displaying ads by the Google DoubleClick system, which creates a cookie when websites are visited. The DoubleClick advertising system is used for this purpose. The cookies are used to display ads tailored to the user’s interests. DART cookies enable Google and partners to display specific ads to the user, based on their visits to the Website or other websites. The DART system does not track personal information, such as name, email address, address or phone number. The user has the possibility to disable the DART cookie – to do this, they have to visit the following website:
More information is also available on the following website:
It is also possible to collectively disable cookies used by ad providers. To do this, please go to the Network Advertising Initiative website:
c) Social media plugins
g) Google Tag Manager
h) Marketing Automation tools
The Website uses special tools to improve sales processes. The tools are designed to increase the efficiency of campaigns by automatically collecting and processing information on the behaviour of internet users when visiting the online store. Based on the analysed data, the tools direct personalised marketing messages to potential Consumers. Basic functions and activities of marketing automation are:
- monitoring and analysis of the behaviour of internet users visiting the platform;
- categorising potential Consumers (e.g. by interests, demographic information based on cookies);
- automatically creating marketing messages based on the above data;
- creating and sending newsletters, emails, pop-up messages and notifications, web push notifications;
- creating mailing lists and databases of internet users;
- monitoring the recipient’s response to the above forms of communication (open/bounce rates, click-through/transition rate)
|personal data||All information about an identified or identifiable natural person.|
|identifiable person||A person whose identity can be determined directly or indirectly, e.g. by reference to an identification number or a factor determining his or her physical, physiological, mental, economic, cultural or social characteristics.|
|processing personal data||Any operation on personal data, including collecting, recording, storing, processing, changing, sharing, deleting and copying.|
|personal data controller||An entity that determines the purposes and methods of processing personal data and bears responsibility for their processing in accordance with the law.|
|Data Protection Officer||Someone who ensures that the processing of personal data by the controller (or processing entity) is carried out in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), i.e. GDPR.