Subjects
01General provisions
The following Website Privacy Policy is informative in nature, which means that it is not a source of obligations for Service Users or Customers of the Website. The Privacy Policy contains, above all, the principles concerning the processing of data by the Controller in the Website, including the basis, purpose and scope of personal data processing and the rights of data subjects as well as information regarding the use of cookies and analytical tools in the Website.
The Controller of personal data collected via the Website is LUQAM SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ SPÓŁKA KOMANDYTOWA with the registered office in Kraków (address and mailing address: ul. Kamieńskiego 47, 30-644 Kraków; entered into the Register of Entrepreneurs of the National Court Register under the KRS number 0000442347; the registration court, in which the company"s documentation is kept: District Court for Kraków Śródmieście (Kraków City Centre) in Kraków, XI Commercial Division of the National Court Register, Tax ID Number (NIP): 6793087067; National Business Registry Number (REGON): 122736324; e-mail address lekiert@luqam.com - hereinafter referred to as “Controller” and being simultaneously the Service Provider of the Website.
Contact details of the data protection officer designated by the Controller: Malgorzata Worobik, e-mail address: mworobik@luqam.com.
The personal data in the Website are processed by the Controller in accordance with applicable law, in particular in accordance with the provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) - hereinafter referred to as "GDPR" or “ GDPR Regulation". Final legal text of the GDPR Regulation: http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELEX%3A32016R0679
Using the Website, concluding contracts included, is voluntary. Similarly, providing personal data by the Service User or the Customer using the Website is voluntary, subject to two exceptions: (1) entering into contracts with the Controller – failure to provide the personal data necessary for the conclusion and performance of a Reservation Contract or a contract for the provision of an E-Service with the Controller in the cases and within the scope indicated on the Website pages and in the Terms and Conditions of the Website and this Privacy Policy shall result in no possibility to enter into the contract. Providing personal data is a contractual requirement in such a case and if the data subject is willing to enter into the contract with the Controller, they shall be obligated to provide the required data. The scope of the data required to enter into the contract is each time specified in advance on the Website page and in the Terms and Conditions of the Website; (2) statutory obligations of the Controller – specifying the personal data is a statutory requirement resulting from the commonly binding legal regulations obligating the Controller to process the personal data (e.g. processing data to fiscal books and ledgers) and failure to specify the data will render it impossible for the Controller to perform the obligations.
The Controller assures due diligence to protect the interest of persons being data subjects, in particular being responsible and liable for and assuring that the data collected are: (1) is processed in accordance with the law; (2) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (3) technically correct and adequate in regards to the purpose, for which it is processed; (4) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed and (5) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the Controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. The measures are reviewed and updated, as necessary. The Controller applies technical measures preventing the acquisition and modification of personal data sent electronically by unauthorised persons.
Any words, phrases and acronyms which occur in this Privacy Policy and beginning with a capital letter (e.g. Service Provider, Website, Electronic Service) should be interpreted according to their definition contained in the Website Terms and Conditions available on the Website.
02Grounds for processing personal data
Processing of personal data is admissible only when - and to the extent that - at least one of the following prerequisites occurs (1) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; (2) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (3) processing is necessary for compliance with a legal obligation to which the controller is subject; or (4) processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Processing of personal data by the Controller shall each time require the existence of at least one of the grounds specified in point 2.1 of the Privacy Policy. Specific grounds on which the personal data of the Service Users and Customers of the Website are processed by the Controller are indicated in the next section of the Privacy Policy - as per the purpose of processing of personal data by the Controller.
03Purpose, basis, and scope of data processing in the website
Each time the purpose, basis, period and scope of processing and the recipients of data processed by the Controller correspond to actions performed in the Website by the Service User or Customer. The Controller may process the personal data in the Website for the purposes, on the bases, within the periods and scope, as follows:
PURPOSE OF PERSONAL DATA PROCESSING | Legal basis for processing and retention period |
SCOPE OF PERSONAL DATA PROCESSING |
Implementation of the Reservation Contract or Contract for the Provision of Electronic Services, or taking action at the request of the data subject prior to entering in the a/m contracts | Article 6 paragraph 1 point b. of the GDPR (performance of the contract)Data is kept for the period necessary for the performance, termination or expiry of the contract otherwise concluded. | Maximum scope: name and surname, e-mail address; contact telephone number; residence address/business address/head office (if other than the delivery address). In the case of Service Users or Customers who are not consumers, the Controller may additionally process the name of the company and tax identification number (NIP) of the Service User or Customer.The above constitutes the maximum scope – in the case of e.g. collecting a product personally, one does not have to specify the delivery address. |
Direct marketing | Article 6, par. 1, point f) of the GDPR Regulation (legitimate interest of the Controller)The data shall be stored for the period of the legitimate interest of the Controller, however no longer than the period of limitation of claims as regards the data subject under the business activity of the Controller. The period of limitation shall be specified by legal provisions, in particular the Civil Code (the basic period of limitation in the case of claims related to business activity amounts to three years, and for a Reservation Contract two years).The Controller may not process the data for the needs of direct marketing in the case of expressing clear objection in this field by the data subject. | E-mail address |
Marketing | Article 6, par. 1, point a) of the GDPR Regulation (consent)The data are stored until the data subject withdraws the consent to further process their data to that end. | Name, e-mail address |
Keeping tax books | Article 6, par. 1, point c) of the GDPR Regulation in relation with Article 74 par. 2 of Tax Ordinance Act of 30 January 2018 (Journal of Laws of 2018 item 395). The data shall be stored for the legally required period, requesting the Controller to keep accounts (5 years from the beginning of the year following the financial year to which they relate). | Name and surname; address of residence /business address/head office, the company name and VAT no. (NIP) of the Service User or the Customer. |
Determining, pursuing or defence of claims on the side of the Controller, or ones that may arise as regards the Controller. | Article 6, par. 1, point f) of the GDPR RegulationThe data shall be stored for the period of the legitimate interest of the Controller, however no longer than the period of limitation of claims as regards the data subject under the business activity of the Controller. The period of limitation shall be specified by legal provisions, in particular the Civil Code (the basic period of limitation in the case of claims related to business activity amounts to three years). | Name and surname; phone no.; e-mail address; address of residence/business address/head office. In the case of Service Users or Customers who are not consumers, the Controller may additionally process the name of the company and tax identification number (NIP) of the Service User or Customer. |
04Data recipients in the website
For the needs of proper Website functioning, including the performance of the Reservation Contracts, it shall be necessary for the Controller to make use of external companies’ services (e.g. software provider, or payment system provider). The Controller uses solely the services of such processing entities which ensure sufficient guarantee to implement appropriate technical and organisational measures so that the processing meets the requirements set out in the GDPR Regulation and protects the rights of data subjects. Personal data may be transferred by the Controller to a third country with a stipulation that the Controller warrants that in such a case the country in question will ensures an adequate level of protection - in compliance with the GDPR Regulation, and that the data subject will have the possibility to obtain a copy of his/her data. The Controller shall transfer the collected personal data only if and to the extent necessary to achieve the purpose of processing the data in accordance with this privacy policy. Providing data by the Controller does not take place in every case and not to all the recipients or categories of recipients defined in the privacy policy – the Controller provides the data only in the case it proves necessary to attain a given purpose of personal data processing and solely within the necessary scope. Personal data of the Website Service Users or Customers may be provided to the following recipients or categories of recipients: sales agents - persons responsible for promoting and selling products. carriers/forwarders/couriers – in the case of a Customer who selects the Website to deliver the Product by post or courier, the Controller makes the collected Customer’s personal data available to the selected carrier, forwarder or agent performing shipment for the Controller to the extent necessary to deliver the Product to the Customer. e-payments or payment card service providers – in the case of a Customer who uses in the Website the option of e-payment or payment card, the Controller makes the collected Customer’s personal data available to the selected provider of payment service in the Website upon the Controller's commission to the extent necessary to perform the payment of the Customer. service providers rendering for the Controller technical, IT or organisational solutions, making it possible for the Controller to conduct a business, including the Website and E-Services provided via it (in particular computer software providers for the Website, e-mail companies and hosting providers as well as software providers for company management and technical support for the Controller) – the Controller makes the collected personal data of the Customer available to the selected provider operating to their order only in the case and to the extent necessary for attaining a given purpose of data processing in accordance herewith. accounting, legal and counselling services providers rendering for the Controller accounting, legal or counselling services (in particular an accounting agency, law firm or debt collection company) – the Controller makes the collected personal data of the Customer available to the selected provider operating to their order only in the case and to the extent necessary for attaining a given purpose of data processing in accordance herewith.
05Profiling in the online store
The GDPR Regulation obligates the Controller to inform about the automated decision-making process, including profiling referred to in Article 22, par. 1 and 4 of the GDPR Regulation, and – at least in those cases – the vital information concerning the decision-making process as well as the meaning and foreseeable consequences of processing for the person being the data subject. Bearing in mind the above, the Controller specifies in this section of the privacy policy the information concerning the possible profiling. The Controller may use profiling in the Website for direct marketing purposes, yet the decisions made on its basis by the Controller do not concern the conclusion or rejection to conclude the Reservation Contract, or the possibility to make use of E-Services in the Website. The result of profiling in the Website may be e.g. discount for a given person, sending a discount code, reminding about unfinished purchase process, or offering better conditions as compared with the standard offer of the Website. Regardless of profiling, the person makes decisions freely, whether they want to use the discount given, or better conditions. Profiling in the Website consists in automatic analysis or forecast of the conduct of a given person on the page of the Website, or the analysis of the history of actions taken in the Website. The condition for such profiling is for the Controller to have the personal data of the person, so that they can later send them e.g. a discount code. The data subject shall have the right not to depend on the decision which is only based on automated processing, including profiling, and has some legal effects on the person or similarly affects them.
06The rights of the data subject
The right to access, rectify, restrict, erase or transmit – the data subject shall have the right to demand the Controller to have access to their personal data, rectify, erase (“the right to be forgotten”) or restrict the processing and shall have the right to object to the data processing and right to data portability. Detailed conditions of execution of the above rights shall be indicated in Articles 1522 of the GDPR Regulation. The right to withdraw the consent at any time – the person whose data are being processed by the Controller on the basis of the consent given (pursuant to Article 6, par. 1, point a) or Article 9, par. 2, point a) of the GDPR Regulation), shall have the right to withdraw his/her consent at any time without any impact on the compatibility with the right to process made based on the consent prior to the withdrawal. The right to lodge a complaint with a supervisory body – the person whose data are being processed by the Controller shall have the right to lodge a complaint with a supervisory body in a manner and mode specified in the provisions of the GDPR Regulation and the Polish law, in particular the Personal Data Protection Act. The supervisory body in Poland shall be the President of Personal Data Protection Office. The right to object – the data subject shall have the right, at any time, to lodge a complaint – for reasons related to their particular situation – as regards the processing of their personal data based on Article 6, par. 1, point e) (public interest or official authority) or f) (legitimate interest of the controller) including profiling based on the provisions. The Controller in such a case must stop processing the personal data, unless it shows the existence of legally significant and justified bases for the processing, overriding the interests, rights and freedoms of the data subject, or the bases for determining, pursuing or defending the claims. The right to object as regards direct marketing – in the case the personal data are being processed for the needs of direct marketing, the data subject shall have the right, at any time, to lodge a complaint as regards the processing of their personal data for the needs of such marketing, including profiling, to the extent to which the processing is related to direct marketing. To perform the rights mentioned in this section of the privacy policy, one may contact the Controller by sending them an appropriate message in writing or via e-mail to the address of the Controller indicated at the beginning of the privacy policy or using the contact form available on the Website.
07Cookies in the website, operational data and analytics
Cookie files (Cookies) are small pieces of text information in the form of text files, sent by a server and recorded by the User visiting the Website (e.g on the computer’s, or laptop’s hard drive, or on a smartphone memory card – depending on which device is used when visiting the Website). Detailed information on Cookies, as well as the history of their creation can be found, among other places, here: http://pl.wikipedia.org/wiki/Ciasteczko. The Controller processes the data contained in Cookie files during the visitors’ use of the Website for the following purposes: identification of Service Users as logged in to the Website and informing that they are logged in; recording Products added to the shopping cart in order to place an Order; recording of data from the filled out Order Forms, questionnaires or the Website login data; adjusting the Website’s contents to the Service User’s individual preferences (e.g. regarding colours, fonts, website layout), and optimizing the use of the Website; keeping anonymous statistics which present the way that the Website is used. remarketing, namely evaluating the conduct of visitors of the Website through anonymous analysis of their activities (e.g. repeated visits on particular pages, key words etc.) to create their profile and provide them with adverts matching their interests, also when they visit other web pages in the advertising network of Google Ireland Ltd. and Facebook Ireland Ltd. As a standard, most Internet browsers by default accept the saving of Cookie files. Every user has the possibility to specify the conditions of Cookie file use via the Internet browser’s settings. This means, that it is possible to partially (e.g. temporarily) restrict or completely disable the saving of Cookie files on the User’s computer – in the latter case, however, it may influence specific functionalities of the Website. The Internet browser setting in terms of Cookie files are significant from the point of view of consent to use Cookie files by our Website – in accordance with the regulations, such consent may also be expressed through adjusting the Internet browser settings. If a Users do not express such consent, they are asked to change the Cookie settings in their Internet browser. Detailed information regarding changing Cookie file settings and individual removal of them in the most popular Internet browsers are available in the Internet browser’s help section and at the following websites (please click the appropriate link):
- Chrome browser
- Firefox browser
- Internet Explorer browser
- Opera browser
- Microsoft Edge browser
The Controller may use Google Analytics and Universal Analytics services in the Website provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). The services help the Controller to analyse the frequency of visits in the Website. The data collected are processed under the above services in an anonymous manner (the so-called operational data, which make it impossible to identify a person) to generate statistics helpful while administering the Website. The data are of collective and anonymous nature, i.e. they do not contain any identifying features (personal data) of the visitors of the Website. Using the above services in the Website, the Controller collects such data as the sources and medium of acquiring visitors of the Website and the manner of their conduct on the Website, information concerning their devices and browsers used to visit the web page, IP and domain, geographical data and demographic data (age, sex) and interests. It is possible to easily block sharing information with Google Analytics as regards the activity on the Website page – install to that end an Opt-out Browser Add-on made available by Google Ireland Ltd. at: https://tools.google.com/dlpage/gaoptout?hl=pl. The Controller may use Facebook Pixel service, which is provided by Facebook Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland). The service helps the Controller to measure an effectiveness of adverts and to find out what actions the users of the Website undertake in order to show them matching adverts. Detailed information about the Pixel Facebook features can be found at the address: https://www.facebook.com/business/help/742478679120153?helpref=page_content. Managing Facebook Pixel is possible through ads settings on a Facebook user’s account: https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen.
08Final provisions
The Online Store may contain links to other web pages. The Controller encourages that at the time of being transferred to other websites, become familiar with the privacy policy. This privacy policy shall apply only to the Controller's Website.