I. General provisions
II. Basis for processing personal data
III. Type of personal data processed and purpose of data processing
IV. Methods of personal data collection
V. Cookies and other data collection solutions
VI. Third parties processing personal data
VII. User rights related to the processing of personal data
VIII. Period of personal data processing
IX. Security of personal data processing
X. Privacy of children
I. GENERAL PROVISIONS
1. By accepting personal data, we are the Administrator that will process them. The Administrator of the Website is „OE Industry” spółka z ograniczoną odpowiedzialnością [a limited liability company under the Polish law] based in Cracow entered in the Register of Entrepreneurs of the National Court Register kept by the District Court for Cracow-Śródmieście in Cracow, 11th Business Division of the National Court Register under no. 0000416474, tax identification number NIP: 6793081225, statistical number REGON: 122544412, share capital: PLN 100 000,00 (hereinafter referred to as: Administrator)
2. Personal data is any information about an identified person or information from which such a person can be identified.
- the type of data that are processed
- rules on the processing of personal data
- the purpose and basis for processing personal data
- period of processing of personal data
- the rights the User has in relation to the processing of personal data.
4. Processing of personal data shall mean an operation or set of operations performed on personal data or sets of personal data by automatic or non-automated means. Processing operations are primarily the collection of this data, their arrangement, storage, modification as well as their adapting or modifying, downloading, viewing, using, disclosing by transmission, dissemination matching or combining, limiting, deleting or destroying.
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation (OJ of the Eu L 2016.119.1) – hereinafter referred to as “GDPR”
- The Personal Data protection Act of 10 May, 2018 (Journal of Laws of 2019 item 1781)
- The Telecommunications Act of 16 July, 2018 (Journal of Laws of 2019 item 2460)
- The Act of 18 July, 2002 on Providing services by electronic means (Journal of Laws of 2020 item 344)
II. BASIS FOR PROCESSING PERSONAL DATA
1. When you visit our Website and in connection with your use of it, digital information is exchanged between our IT system operating the Website and the system operating the device you are using.
2. The exchange of information between the systems takes place due to technical considerations - contact between the systems would not otherwise be possible.
3. In certain cases, we require the provision of personal data, the scope of which we specify in each case as part of the procedure for making a given functionality available.
4. Personal data are collected to a limited extent. The justification for their collection by the Administrator is to improve the operation of the Website and to expand its functionality, as well as to optimise its operation in the User's browser.
5. The basis for our processing of your personal data is:
a. Consent - granted by the User for one or more specified purposes (Article 6(1)(a) GDPR);
b. Willingness to conclude and performance of a contract - if it is necessary for the performance of the contract or at the request of the person concerned, before concluding such a contract (Article 6(1)(b) GDPR);
c. Legitimate interest of the Administrator - if the processing of the data is necessary for the legitimate interests of the Administrator or a third party, but not beyond the moment when the fundamental rights and interests of persons outweigh the interests of the Administrator or a third party (Article 6(1)(f) GDPR).
III. TYPE OF PERSONAL DATA PROCESSED AND PURPOSE OF DATA PROCESSING
1. On the basis of the consent given, we process personal data such as name and surname, login, e-mail address, telephone number, NIP, REGON, contact address. Processing is possible with the express consent of the User given during the use of the Website's services and involves registering the User's account, completing a contact form to enable contact with the User, newsletter subscription, using a discount coupon or voucher, taking part in surveys, contests and other media events, giving marketing authorisation, as well as applying for work.
2. Personal data indicated in Chapter III(1) are also processed in connection with concluding a contract and its performance; this refers to a situation where an offer to establish cooperation or conclude a contract is made by e-mail or by telephone, but also where technical support is provided or information about the availability of the products offered by external suppliers is provided.
3. Processing of personal data due to an legitimate interest of the Administrator, including those obtained through cookies or other tools placed in the Website software, takes place when our intention is to optimize and adjusting the product offer to the needs of the Website Users, as well as improvement of its functionality and quality of Users' service, examination of Users' preferences, archiving of events and operations for the purposes of confirmation of concluded agreements or infringements of the Administrator's or third parties' rights, handling of complaints, execution of obligations resulting from correct administration of personal data in connection with withdrawal of consent by the User, handling of other types of enquiries directed through the Website, examination of sales and distribution channels of products from the Administrator's offer, analysis and scope of application of products from the Administrator's offer in design solutions.
4. If you log in to our service using the authentication data of social networking sites (e.g. Facebook, Google+), then we collect, in addition to the data indicated in Chapter III(1) and Chapter III(2) above, also data such as name and surname, e-mail address, date and place of birth, location as well as information which the User has decided to make available, however, the data obtained in this manner is processed only to the extent and for the purpose of logging in.
5. The system operating the Website collects data and information from the terminal device system used by the User, i.e.: information about the type of browser and version used, User's operating system, IP address of the device in order to ensure correct display of the Website content and use of its functionality.
IV. METHODS OF PERSONAL DATA COLLECTION
1. The transfer of personal data takes place in particular during: creating an account, logging in, filling in forms or questionnaires, filling in registration windows. Information on the type of data, the provision of which is necessary to use the services available within the Website, shall be provided each time in communications visible to the User.
2. Some of the digital data may be collected in an automated manner by means of cookies and other measures that allow monitoring the activity on the Website's pages. The data collected in this manner are mixed data, i.e. they may contain personal data in their fragments.
3. By using technology for programming, the following digital data shall be collected and processed:
- specifying the device data, such as model, IP or MAC address, operating system and its version, browser type and version, screen resolution, language setting;
- describing events, i.e. the time of using the Website, data contained in cookies saved during the session,
- other data, including location data, concerning the use of the Website, the links clicked and the navigation path of the Website.
4. As part of use of the Website, the user's browser also connects to the servers of Google, Facebook, Linkedin, Twitter, Instagram, Pinterest, YouTube, through the social plugins. The rules for processing the data thus obtained are determined by the service providers. Such a visit may result in the collection of data by the aforementioned service providers, which may then be assigned to the profile of the service user in above mentioned services. The rules for processing the data thus obtained are determined by the service providers:
5. We also collect data by analysing access logs; the results of the analysis serve to improve security, better diagnose problems and eliminate logging server errors.
V. COOKIES AND OTHER DATA COLLECTION SOLUTIONS
1. The basic tools for collecting data in an automated way are "cookies ". Files saved in the systems of devices used by the User while using the Website include:
File name: safe_pl Expiration timei: 24h Function: contains a list of product IDs in the form realized for the Polish version of the service (for future language versions, the name shall be analogous)
File name: offer_cart_pl Expiration time: 24h Function: contains a list of product IDs in the form realized for the Polish version of the service (for future language versions, the name shall be analogous)
File name: compare_pl Expiration time: 24h Function: contains a list of product IDs in the form realized for the Polish version of the service (for future language versions, the name shall be analogous)
File name: PHPSESSID Expiration time: 24 min Function: contains the ID of the current session - supports session handling on the User side of the Administration Panel
File name: PHPFRONTSESSID Expiration time: 24 min Function: contains the ID of the current session - supports session handling on the User side of the Administration Panel
File name: _backendCSRF Function: the name of the token used to prevent the CSRF on the Administration Panel side
File name: _frontendCSRF Function: the name of the token used to prevent the CSRF on the Administration Panel side
File name: cookieconsent_status Czas ważności: 365 days Function: indicates whether the cookie alert has been accepted
2. Cookie files, which we use within the Service, are divided into:
a. Session cookies - temporary files stored in the memory of the browser until its closure, supporting the correct operation of the browser by means of which the Website is displayed, responsible for the security of logging into the Website, the correct display of the Website and the operation of the Website, as well as playing an important role in terms of authentication of certain services available on the Website;
b. Functional cookies – maintained within the system for a longer period of time, which depends on e.g. browser settings or the expiry date of a given file (fixed files); the purpose of the above mentioned files is to facilitate the use of the Website as part of re-displaying its content on the same device, especially with regard to e.g. optimal navigation, saved resolution, and content layout. These files may be disabled in the User's browser, however, some services may become unavailable in this situation;
c. Analytic cookies – allowing to determine the number of visits to the website, the sources of traffic on the website, the popularity of particular subpages; the data collected in this way are anonymised and their processing is aimed at improving the operation of the Website and increasing its attractiveness. It is possible to block such files, however, this may affect some services and the quality of their presentation;
d. Third parties cookies - files from our service providers, including advertising services. These types of files enable us to adapt the content, including advertisements, from third parties to your preferences (behavioural advertising).
3. In addition to cookies, we also use other software solutions (e.g. so-called tags, pixels), which enable us to monitor traffic on the Website and the behaviour of the User during their visits. Information collected in this way may be transferred to a third party, i.e. the code provider.
VI. THIRD PARTIES PROCESSING PERSONAL DATA
1. Personal data of Users on the basis of relevant agreements may also be provided to service providers, i.e.:
a. hosting providers,
b. suppliers of software enabling the maintenance of the Website and its operations (e.g. external CRM systems and external accounting systems),
c. entities providing legal, accounting or settlement services, including debt collection,
d. entities providing services within the scope of Internet marketing (mailing, positioning, etc.).
2. The service providers to which personal data are transferred, process the personal data in accordance with the purpose of entrustment agreed in the contract, or - under the terms of the contract or in the manner prescribed by law - decide themselves on the purpose and method of processing such data.
3. Processing of personal data collected by the Website software, including their storage, takes place exclusively within the European Economic Area (EEA).
VII. USER RIGHTS RELATED TO THE PROCESSING OF PERSONAL DATA
1. On the basis of the GDPR regulations, you have the right to/of:
a. withdraw consent to the processing of personal data granted pursuant to Article 6(1)(a) (Article 7(3) GDPR); on this basis, you may withdraw your consent at any time and without restriction, with the result that personal data will no longer be processed; however, this will not apply if the Administrator has another legitimate purpose for processing personal data - then, despite the withdrawal of consent, personal data can be processed on this legal basis for processing;
b. access to your personal data (Article 15 GDPR); at any time you can obtain confirmation from the Administrator as to whether your personal data are being processed and, if so, you have the right to obtain a copy of such data, information on the categories of data being processed, the purpose of the processing, the recipients, the duration of the processing, the rights mentioned in this Chapter, including the right to lodge a complaint with the supervisory authority, the sources of data extraction and automated decision-making, the manner in which the data are processed, including profiling, and the consequences resulting for the User;
c. rectification (Article 16 GDPR) i.e. in particular to correct or supplement data;
d. right to erasure “right to be forgotten” (Article 17 GDPR); you may request the immediate deletion of your personal data if at least one of the following circumstances occurs: having personal data is not necessary for the purposes for which it was collected, consent to their processing has been withdrawn and there is no other legal basis for processing, an objection has been lodged pursuant to Article 21(1) GDPR in the absence of overriding grounds justifying processing or an objection is lodged pursuant to Article 21(2) GDPR, the data are processed unlawfully or should be erased in accordance with the applicable law, and also if the personal data at the time of collection referred to a minor and were obtained in the course of offering information society services with the consent of their legal representative;
e. restriction of processing (Article 18 GDPR) in the following instances: the correctness of your data has been questioned by you and there is a need to verify it by the Administrator, the processing is illegal, you have objected to the deletion of your personal data and at the same time you have demanded that the processing be restricted, The Administrator does not need personal data for the purposes of the processing, but you need them in order to establish, assert or protect your claims, an objection to the processing has been lodged pursuant to Article 21(1) GDPR, and the Administrator shall process them until it is determined whether the reasonable legal grounds for processing existing on the part of the Administrator outweigh the grounds for objecting to their further processing;
f. be notified of the rectification or erasure of personal data (article 19 GDPR) or of a restriction on processing whenever one of these events occurs, unless notification is impossible or involves a disproportionate effort;
g. data portability (Article 20 GDPR) in case the processing of the data is carried out on the basis of the consent given or in connection with the accession to or performance of a contract, or the processing is carried out by automated means;
h. object to the processing of data (Article 21 GDPR) lodged at any time, in the event that processing is necessary for the purposes of the legitimate interests of the Administrator or by a third party, except where the interests or fundamental rights and freedoms of the person to whom the data relates take precedence over those interests; the Administrator may process the data subject to objection if it demonstrates that there are compelling legitimate grounds for processing overriding the interests, rights and freedoms of the person to whom the data relates; or if it demonstrates the existence of the grounds for establishing, asserting or defending claims, or if the processing takes place for the purposes of direct marketing and the objection relates to processing for the purposes of such marketing, including profiling, in so far as it is related to such direct marketing;
i. not be subject to a decision which is based solely on automated processing, including profiling, unless that decision is necessary for the conclusion or performance of a contract between the person to whom the data relates and the Administrator, or which is based solely on automated processing, including profiling, unless that decision is authorised by Union law or by the law of a Member State to which the Administrator is subject and which implements suitable measures to safeguard the data subject's rights, freedoms and legitimate interests or is based on the explicit consent of the data subject.
2. The exercise of the aforementioned rights can be done by contacting the Administrator at the following e-mail address: email@example.com; for this purpose it is necessary to provide the name and address of the data subject.
3. In the event that the User invokes any of the above rights, the Administrator may comply or refuse to comply with the request immediately but no later than within one month after receiving the relevant message. In justified cases this period may be extended to two months, of which the User shall be notified at the original date.
4. If the User finds out that their rights resulting from the provisions of the GDPR in terms of personal data processing have been infringed, they have the right to lodge a complaint with the President of the Office for Personal Data Protection.
VIII. PERIOD OF PERSONAL DATA PROCESSING
1. If the basis for the processing of User’s personal data is the need to perform a contract, the data are processed for the period until the expiry of the limitation period. As a rule, it shall be the last day of the calendar year in which a period of six years has elapsed from the date on which claims relating to the performance of such a contract become due and payable or a period of 3 years if the claims have a periodic or continuous character or are related to the conduct of business activity (the beginning of the counting of the limitation period usually starts from the moment when the contract should have been performed or was performed).
2. If the basis for the processing of personal data is the consent granted, then personal data shall be processed for a period until the expiry of the limitation period, as in Chapter VIII(1), the beginning of which shall run from the date of withdrawal of consent.
3. If a contract has been concluded and a copyright or license has passed, then your data will be processed for the entire period for which the right or license is granted.
4. In other cases, except for data obtained through cookies or similar data collection solutions, your data will be processed until you object to their processing or request their deletion, but no longer than 3 years after your last activity on the Website.
5. The data collected by means of cookies will be processed not for the period indicated in Chapter V, but for no longer than 1 year.
IX. SECURITY OF PERSONAL DATA PROCESSING
1. As part of our data security policy, we take appropriate organisational and technical measures to protect personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage ("integrity and confidentiality").
2. In the area of technological solutions, we apply solutions appropriate to the development of technological knowledge to ensure the security of digital data, including personal data, stored in a network environment and transmitted electronically, in particular by securing access (digital and physical) and creating backups.
3. In the area of organisational solutions, we ensure the security of personal data processing by implementing appropriate organisational procedures, including limited access to personal data by natural persons performing work or services for the Administrator, and in the case of entrusting personal data to third parties, by concluding personal data processing agreements with such parties, in which such a party is obliged to ensure the same technical and organisational standards of personal data processing as their Administrator.
X. PRIVACY OF CHILDREN
Services offered as part of the Website are not dedicated to minors. In the event of obtaining information on the obtaining of personal data of a minor, the Administrator immediately takes actions resulting from legal regulations.