PRIVACY POLICY

 

 

§1. Data Controller

 

  1. The data controller within the meaning of Article 4 point 7 of the Regulation of the European Parliament and Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons in relation to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (GDPR) is Zuzanna Synoradzka-Wróbel residing at ul. Ligota Wielka 16, 56-400 Oleśnica.
  2. The data controller's email address: zuzannajuliasw@gmail.com.
  3. The controller, in accordance with Article 32 paragraph 1 of GDPR, adheres to the principle of personal data protection and implements appropriate technical and organizational measures to prevent accidental or unlawful destruction, loss, modification, unauthorized disclosure, or unauthorized access to personal data processed in connection with the conducted activity.
  4. Providing personal data by the client is voluntary, but necessary for concluding a contract with the data controller.
  5. The data controller processes personal data to the extent necessary to fulfill the contract or provide services to the person to whom the data relates.

 

§2. Purpose and Legal Basis for Processing Personal Data

 

The controller processes personal data for the following purposes:

a) preparing a commercial offer in response to the client's interest, which is a legitimate interest of the data controller (Article 6 paragraph 1 letter f GDPR);

b) concluding and executing sales contracts with clients, based on the concluded contract (Article 6 paragraph 1 letter b GDPR);

c) providing services electronically through the Online Store, based on the concluded contract (Article 6 paragraph 1 letter b GDPR);

d) handling the complaint process, based on the obligation of the data controller under applicable law (Article 6 paragraph 1 letter c GDPR);

e) accounting related to issuing and accepting settlement documents, based on tax law regulations (Article 6 paragraph 1 letter c GDPR);

f) archiving data for potential determination, pursuit, or defense against claims or the need to demonstrate facts, which is a legitimate interest of the data controller (Article 6 paragraph 1 letter f GDPR);

g) contact via phone or email, particularly in response to inquiries directed to the data controller, which is a legitimate interest of the data controller (Article 6 paragraph 1 letter f GDPR);

h) sending technical information regarding the operation of the Online Store and services used by the client, which is a legitimate interest of the data controller (Article 6 paragraph 1 letter f GDPR);

i) marketing, which is its legitimate interest (Article 6 paragraph 1 letter f GDPR) or occurs based on previously granted consent (Article 6 paragraph 1 letter a GDPR).

 

§3. Data Recipients. Transfer of Data to Third Countries

 

  1. Recipients of personal data processed by the data controller may be entities cooperating with the data controller when necessary to fulfill the contract concluded with the person to whom the data relates, e.g., electronic payment operators or banking institutions handling installment payments.
  2. Recipients of personal data processed by the data controller may also include subcontractors – entities whose services the data controller uses in processing data, e.g., accounting offices, law firms, entities providing IT services (including hosting services).
  3. The data controller may be required to provide personal data based on applicable laws, particularly to authorized bodies or state institutions.
  4. Personal data may be transferred to an entity based outside the European Economic Area, e.g., Shopify Data Processing Inc., in connection with the data controller's use of the Shopify platform for managing and maintaining the Online Store. As an appropriate data protection measure, the data controller has agreed to standard contractual clauses in accordance with Article 46 of GDPR with the providers of these services. More information on this topic is available here: https://commission.europa.eu/law/law-topic/data-protection_en.

 

§4. Period of Storage of Personal Data

 

  1. The data controller stores personal data for the duration of the contract concluded with the person to whom the data relates and after its termination for purposes related to pursuing claims arising from the contract, fulfilling obligations arising from applicable laws, but for no longer than the limitation period according to the provisions of the Civil Code.
  2. The data controller retains personal data contained in billing documents for the period specified by tax law.
  3. The data controller retains personal data processed for marketing purposes for a period of 10 years, but not longer than until the consent for data processing is withdrawn or an objection to data processing is raised.
  4. The data controller retains personal data for purposes other than those specified in paragraphs 1-3 for a period of one year, unless consent for data processing has been withdrawn earlier, and the processing of data cannot be continued on another basis than the consent of the data subject.

 

§5. Rights of the data subject

 

1. Every data subject has the right to:

a) access – obtain confirmation from the controller as to whether their personal data is being processed. If data about the person is being processed, they are entitled to access it and obtain the following information: the purposes of processing, categories of personal data, information about recipients or categories of recipients to whom the data has been or will be disclosed, the retention period of the data or the criteria for determining it, the right to request rectification, erasure, or restriction of personal data processing available to the data subject, and to raise an objection to such processing (Article 15 GDPR);

b) to receive a copy of the data – obtain a copy of the data being processed, with the first copy being free of charge, while for subsequent copies, the controller may charge a reasonable fee based on administrative costs (Article 15(3) GDPR);

c) to rectification – request the rectification of their personal data that is inaccurate or the completion of incomplete data (Article 16 GDPR);

d) to erasure of data – request the erasure of their personal data if the controller no longer has a legal basis for processing or if the data is no longer necessary for processing purposes (Article 17 GDPR);

e) to restriction of processing – request the restriction of personal data processing (Article 18 GDPR), when:

- the data subject contests the accuracy of the personal data – for a period allowing the controller to verify the accuracy of this data,

- the processing is unlawful, and the data subject opposes its erasure, requesting the restriction of its use,

- the controller no longer needs the data, but it is needed by the data subject for the establishment, exercise, or defense of claims,

- the data subject has raised an objection to processing – until it is determined whether the legitimate grounds for the controller's processing are overriding the grounds for objection of the data subject;

f) to data portability – receive their personal data in a structured, commonly used, machine-readable format, which they provided to the controller, and request to transmit that data to another controller, if the data is processed based on the consent of the data subject or a contract with them and if the data is processed in an automated manner (Article 20 GDPR);

g) to objection – raise an objection to the processing of their personal data for the legitimate purposes of the controller, for reasons related to their particular situation, including profiling. In this case, the controller assesses the existence of important legitimate grounds for processing that override the interests, rights, and freedoms of the data subjects or the grounds for establishing, exercising, or defending claims. If, according to the assessment, the interests of the data subject are found to be more important than the interests of the controller, the controller will be obliged to cease processing the data for those purposes (Article 21 GDPR).

2. To exercise the above-mentioned rights, the data subject should contact the controller using the provided contact details and inform them which right and to what extent they wish to exercise.

3. The data subject has the right to lodge a complaint with the supervisory authority, which is the President of the Personal Data Protection Office in Warsaw.

 

§6. Profiling

 

Personal data obtained by the data controller will not be processed in an automated manner – including profiling.

 

§7. Social media plugins

 

  1. The controller uses plugins on the website that link to social media. These plugins are marked with the logo of the respective social media service.
  2. Data is transmitted to social media platforms only when the user actively clicks the appropriate plugin button. Upon clicking the plugin icon, the web browser will initiate a connection to the servers of the respective social media platform, and the user will be redirected to the external service provider's page, meaning the owner of the respective social media service, while the user's web browser establishes a direct connection with the servers of those social media services. Using these features may involve the use of external cookies. From the moment the user clicks on a specific plugin, personal data is processed on the given social media platform, and the owner of the social media platform becomes a co-administrator of the personal data. The administrator informs that from the moment of the active click on the plugin button, the Administrator has no influence over the nature and scope of the personal data collected by the respective social media platform.
  3. Data is transmitted regardless of whether the user has an account on the respective social media platform or whether they are logged in. If the user is logged into the specific social media platform, the collected personal data will be directly linked to the account (profile) they are using.
  4. To obtain more information about the purpose and scope of personal data collection, including the principles of their processing by the provider of the respective platform, one should review the privacy policies of those providers.

 

 

 

 

 

 

FIRM

INFO

SOCIAL MEDIA

ZUZANNA JULIA SW 2025