Administrator – REST R. Stasik with its registered office at ul. Pilska 1A 05-510 Konstancin-Jeziorna
Personal data – all information about a natural person identified or identifiable by one or more specific factors determining the physical, physiological, genetic, mental, economic, cultural or social identity, including the device's IP, location data, internet id and information collected through cookies and other similar technology.
GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and the repeal of Directive 95/46/EC.
Shop – an online store run by the Administrator at www.reststore.pl
Customer – any individual visiting the Store or using one or more of the services or functionalities described in the Policy.
2. PROCESSING OF DATA IN CONNECTION WITH THE USE OF THE STORE
In connection with the Customer's use of the Store, the Administrator collects data to the extent necessary for the provision of individual services offered, as well as information about the Customer's activity in the Store. The following are described detailed rules and purposes of the processing of personal data collected during the use of the Store by the Customer.
3. PURPOSES AND LEGAL GROUNDS FOR DATA PROCESSING IN THE STORE
USING THE REST STORE
3.1. Personal data of all persons using the Store (including IP address or other identifiers and information collected through cookies or other similar technologies) and non-registered Customers (i.e. persons without a profile in the Store) are processed by the Administrator:
3.1.1. in order to provide electronic services to the extent that the content collected in the Store is made available to customers
3.1.2. in order to handle complaints - then the legal basis for processing is the necessity of processing for the performance of the contract (Art. 6 para. 1 lit b GDPR);
3.1.3. for analytical and statistical purposes – then the legal basis for processing is the legitimate interest of the Administrator (Art. 6 para. 1 lit f GDPR) consisting in conducting analyses of clients' activities, as well as their preferences in order to improve the functionality used and the services provided;
3.1.5. in order to establish, pursue or defend claims against them, the legal basis for the processing is the legitimate interest of the Administrator (Art. 6 para. 1 lit f GDPR) in protecting his rights;
3.1.6. for marketing purposes of the Administrator
The Customer's activity in the Store, including his personal data, is recorded in the system logs (a special computer program used to store a chronological record containing information about events and activities related to the IT system used to provide services by the Administrator). Information collected in logs processed in connection with the provision of services. The controller also processes them for technical purposes in particular, the data may be temporarily stored and processed in order to ensure the security and proper functioning of information systems, e.g. in connection with the making of security copies, tests of changes in information systems, detection of irregularities or protection against fraud and attacks.
REGISTRATION IN THE REST STORE
3.2.Persons who register in the Store are asked to provide the data necessary to create and operate an account. In order to facilitate the service, the Customer may provide additional data, thereby giving his consent to their processing. You can delete this data at any time. Providing data marked as mandatory is required in order to create and maintain an account, and failure to provide it results in the inability to create an account. Providing the remaining data is voluntary.
3.3. Personal data are processed:
3.3.1. in order to provide services related to the operation and operation of an account in the Store – the legal basis for processing is the necessity of processing for the performance of the contract (Art. 6 para. 1 lit.b GDPR), and as regards the data optionally provided , the legal basis for processing is consent (Art. 6 para. 1 lit a GDPR);
3.3.2. for analytical and statistical purposes – the legal basis for processing is the legitimate interest of the Administrator (Art. 6 para. 1 lit. f GDPR) consisting in conducting analyses of customer activity in the Store and how the account is used, as well as their preferences in order to improve the functionality used;
3.3.3. for the purpose of possible establishment and redress or defense against them – the legal basis for processing is the legitimate interest of the Administrator (Art. 6 para. 1 lit. f GDPR) consisting in the protection of his rights.
3.4. If the Customer places on the Website any personal data of other persons (including their name, address, telephone number or e-mail address), he may do so only on condition that the provisions of applicable law and personal rights of such persons are not violated.
3.5. Placing an order (purchase of goods or services) by the Store Customer involves the processing of his personal data. The provision of data marked as mandatory is required for the acceptance and handling of the order, and failure to provide it results in its non-execution. Providing the remaining data is optional.
3.6. Personal data are processed:
3.6.1. in order to fulfill the placed order – the legal basis for processing is the necessity of processing for the performance of the contract (Art. 6 para. 1 lit.b GDPR); as regards the data optionally provided, the legal basis for processing is consent (Article 6(1)(a) GDPR);
3.6.2. in order to comply with the statutory obligations incumof the Administrator, arising in particular from tax and accounting regulations , the legal basis for processing is a legal obligation (Article 6(1)(b.c GDPR);
3.6.3. for analytical and statistical purposes – the legal basis for processing is the legitimate interest of the Administrator (Art. 6 para. 1 lit. f GDPR) consisting in conducting analyses of customers' activity in the Store, as well as their purchasing preferences in order to improve the functionality used;
3.6.4. for the purpose of possible determination and redress or defense against them – the legal basis for processing is the legitimate interest of the Administrator (Art. 6 para. 1 lit. f GDPR) consisting in the protection of his rights.
3.7. The Administrator provides the possibility to contact him using electronic contact forms. The use of the form requires the provision of personal data necessary to contact the Customer and respond to the request. The customer may also provide other data to facilitate contact or handling of the inquiry. Mandatory data is required to receive and handle a query, and failure to provide it results in inability to handle it. Providing the remaining data is voluntary.
3.8. Personal data are processed:
3.8.1. in order to identify the sender and handle his request sent through the form provided , the legal basis for the processing is the necessity of processing for the performance of the service contract (Art. 6 para. 1 lit.b GDPR);
3.8.2. for analytical and statistical purposes – the legal basis for processing is the legitimate interest of the Administrator (Art. 6 para. 1 lit. f GDPR) consisting in conducting statistics of queries reported by Users through the Service in order to improve its functionality.
4.1. The Administrator processes customers' personal data for the purpose of carrying out marketing activities, directing e-mail notifications about interesting offers or content that in some cases contain commercial information and conducting other activities related to direct marketing of goods and services (sending commercial information by electronic means and telemarketing activities).
4.2. The Administrator processes personal data of Clients, including personal data collected through cookies and other similar technologies. Cookies used to create statistics, allow you to automatically recognize the IP address of your computer the next time you visit and allow you to maintain a session of the logged-in user. They are also used for advertising purposes to provide users with advertising content tailored to their interests.
4.3. If the Customer has consented to receive marketing information via e-mail, SMS and other electronic means of communication, the Customer's personal data will be processed for the purpose of sending such information. The basis for the data processing is the Legitimate Interest of the Administrator in the shipment of marketing information within the limits of the consent given by the Client. The data will be stored for this purpose for the duration of the existence of a legitimate interest of the Administrator, unless the Client objects to receiving marketing information.
5. COMMUNITY PORTALS
5.1. The Administrator processes the personal data of Customers visiting the Administrator's profiles conducted on social media (Facebook, YouTube, Instagram, Twitter, Google +, Pinterest). This data is processed solely in connection with the conduct of the profile, including in order to inform clients about the Administrator's activities and promote various types of events, services and products, as well as to communicate with clients through functionalities available on social media. The legal basis for the processing of personal data by the Administrator for this purpose is his legitimate interest (Art. 6 para. 1 lit. f GDPR) consisting in promoting his own brand and building and maintaining a community associated with the brand.
6. PERIOD OF PROCESSING OF PERSONAL DATA
6.1. The period of data processing by the Administrator depends on the type of service provided and the purpose of the processing. As a general rule, the data are processed for the duration of the provision of the service or the execution of the order, until the consent is withdrawn or an effective objection to the processing of data is raised in cases where the legal basis for data processing is the legitimate interest of the Administrator.
6.2. The period of data processing may be extended where the processing is necessary to establish and pursue possible claims or defend against them, and after that time only in the case and to the extent required by law. After the processing period has elapsed, the data shall be irretrievably deleted or anonymised.
7. CUSTOMER PERMISSIONS
7.1. Data subjects shall have the following rights:
7.1.1. Right to information about the processing of personal data – on this basis, the Controller provides information about the processing of personal data, including in particular the purposes and legal grounds for processing, the scope of the data held, the entities to which the personal data are disclosed and the planned date of their deletion;
7.1.2. The right to obtain a copy of the data – on this basis, the Administrator transmits a copy of the processed data concerning the person making the request;
7.1.3. Right to rectification – on this basis, the Administrator removes any inconsistencies or errors regarding the personal data processed, and supplements or updates them if they are incomplete or have changed;
7.1.4. Right to erasure – on this basis, you can request the deletion of data whose processing is no longer necessary for the purposes for which they were collected;
7.1.5. Right to restriction of processing – on this basis, the Controller ceases to carry out operations on personal data, except for operations for which the data subject has consented and their storage, in accordance with the accepted retention rules, or until the reasons for limiting the processing of data cease (e.g. a decision of the supervisory authority authorising further processing of data will be issued);
7.1.6. The right to data portability – on the basis that the data are processed in connection with the concluded contract or consent, the Controller issues the data provided by the data subject in a format that allows them to be read by the computer. It is also possible to request the transfer of this data to another entity – provided, however, that there are technical possibilities in this regard both on the part of the Administrator and that other entity;
7.1.7. The right to object to the processing of data for marketing purposes – the data subject may at any time object to the processing of personal data for marketing purposes, without the need to justify such objection;
7.1.8. Right to object to other purposes of data processing – the data subject may at any time object to the processing of personal data on the basis of the legitimate interest of the Administrator (e.g. for analytical or statistical purposes or for reasons related to the protection of property). The objection in this regard should contain a justification and be assessed by the Administrator;
7.1.9. Right to withdraw consent – if the data are processed on the basis of consent, the data subject has the right to withdraw it at any time, but this does not affect the lawfulness of the processing carried out before the withdrawal of that consent;
7.1.10 Right to a complaint – if it is considered that the processing of personal data violates the provisions of the GDPR or other provisions on the protection of personal data, the data subject may lodge a complaint with the President of the Office for Personal Data Protection.
7.2. A proposal for the exercise of the rights of data subjects may be submitted:
7.2.1. in writing to REST R. Stasik ul. Pilska 1A 05-510 Konstancin-Jeziorna
7.2.2. by e-mail to: firstname.lastname@example.org
7.3. The proposal should, as far as possible, indicate precisely what the request relates to, i.e. in particular:
7.3.1. what right the applicant wants to exercise (e.g. right to receive a copy of the data, right to erasure, etc.);
7.3.2. what processing process is affected by the request (e.g. use of a particular service, activity on a particular website, receiving a newsletter containing commercial information to a specific email address, etc.);
7.3.3. what processing purposes the request relates to (e.g. marketing purposes, analytical purposes, etc.).
7.4. If the Administrator is unable to determine the content of the request or identify the person submitting the application based on the application made, he will ask the applicant for additional information.
7.5. The response to the application will be given within one month of its receipt. If it is necessary to extend this period, the Administrator shall inform the applicant of the reasons for such extension.
7.6. The reply will be given to the e-mail address from which the request was sent and, in the case of requests made by letter, by ordinary letter to the address indicated by the applicant, unless the content of the letter indicates a desire to receive feedback to the e-mail address (in which case the e-mail address must be provided).
8. RECIPIENTS OF DATA
8.1. In connection with the provision of services, personal data will be disclosed to external entities, including in particular it system providers, entities such as banks and payment operators, accounting, legal, audit, consulting, courier (in connection with the execution of the order), marketing agencies (in the field of marketing services)
8.2. The Customer's personal data may be shared with other entities for their own purposes, including marketing purposes only after obtaining the Customer's consent.
8.3. The Administrator reserves the right to disclose selected information concerning the Client to competent authorities or third parties who request such information on the basis of an appropriate legal basis and in accordance with the provisions of applicable law.
9. SECURITY OF PERSONAL DATA
9.1. The Controller conducts a risk analysis on an ongoing basis to ensure that personal data are processed by him in a secure manner – ensuring, first of all, that only authorized persons have access to the data and only to the extent necessary for the tasks performed by them. The Administrator ensures that all operations on personal data are recorded and carried out only by authorized employees and collaborators.
9.2. The Administrator takes all necessary measures to ensure that his subcontractors and other cooperating entities also provide a guarantee of appropriate security measures whenever they process personal data on behalf of the Administrator.