1. The Personal Data Administrator is IWUC Sp. z o. o., with registered office at the following address: 8B/28 Klobucka Street, 02-699 Warsaw, Poland, registered in the register of entrepreneurs of the National Court Register by the District Court in Warsaw, XIII Commercial Division of the National Court Register, under KRS number: 0000636355, NIP (Tax Identification Number): 9512418776, REGON (National Business Registry Number): 365371328.
2. With respect to your rights as personal data subjects (i.e. people to whom the data relates) and with respect to the mandatory rules of law, including especially the Regulation of the European Parliament and the Council (EU) 2016/679 of 27 April 2016 on protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/WE (General Data Protection Regulation), hereinafter referred to as GDPR, the Polish personal data protection Act (hereinafter referred to as the Act) and other relevant personal data protection laws, we commit to maintaining the safety and confidentiality of all personal data that you share with us. All our employees have been properly trained in personal data protection, and our company, as the Personal Data Administrator, has introduced new security measures, as well as technical and organisational means, in order to ensure the highest possible level of personal data protection. We have introduced appropriate procedures and policies to process personal data in accordance with GDPR, so that personal data processing occurs lawfully and reliably and you, as the persons to whom the data relates, may execute all your relevant rights. Additionally, if needed, we cooperate with the regulatory body within the territory of the Republic of Poland, i.e. the President of the Data Protection Authority (hereinafter referred to as PDPA).
3. Any questions, requests or complaints relating to personal data processing in our company (the Personal Data Administrator), hereinafter referred to as Applications, should be sent via e-mail to the following e-mail address: info [!at] rainbowsocks.com, or in writing to the postal address of the Data Protection Supervisor, i.e. ul. Klobucka 8B/28, 02-699 Warsaw, Poland.
4. The Applications should clearly contain:
a. the data of the person or persons to whom the Application relates,
b. the event that the Application relates to,
c. the filed requests and their legal basis,
d. the desired means of solving the issue.
5. Our Online Shop collects the following personal data:
a. name and surname – when placing an Order you will be asked to provide us with your name and surname, in order for us to be able to execute the Order and contact you, if needed,
b. residential address – we require your residential address to execute Orders involving us shipping the ordered Product to you,
c. telephone number – it may occur that we shall need to call you in order to confirm the placed Order or in cases of unforeseen events (such as e.g. your ordered Product missing from our warehouse), so that we may offer you the best possible solution to the problem,
d. e-mail address – we shall use the e-mail address to send you a confirmation of the placed Order and contact you to inform you on matters relating to your Order. If you are subscribing to our newsletter, we shall also be able to send you marketing information once or twice a month,
e. Tax ID / NIP – we collect the tax ID from entrepreneurs and customers requesting us to issue an invoice,
f. IP address of the end device – the general information relating to the usage of Internet-based connections, such as IP address (and other information contained in the system logons) are used by the Online Shop administrator for technical reasons. The IP addresses may also be used for statistical purposes, especially collecting general demographic data (e.g. about the region from which a connection is received),
g. alternatively, other data may be collected as part of specific cases or may be given by you as a user of our Online Shop (including as a customer or potential customer) via email, contact form available in the Online Shop, traditional mail or telephone contact; You can also indicate your date of birth voluntarily.
6. Provision of the data specified above is mandatory in the following circumstances:
- in order to place an Order in our Online Shop via the Order Form available on our Online Shop Website (ordering without logging in / creating an Account),
- in order to contact us via the contact form available on our website,
- in order to register in the Client database, which is not obligatory; in such a case we shall store the provided data in our database, to make it easier for you to make purchases in our Online Shop in the future,
- in order to execute the newsletter service (subscription) – if you want to be informed of interesting events and marketing offers, you may subscribe to our newsletter; the subscription is not mandatory and you may unsubscribe at any time.
7. Our Online Shop utilises the Cookies technology to match its functionality to your individual needs. You may therefore consent to having your entered data and information saved, so that they may be later on used on subsequent visits to the Online Shop website without having to enter them again. Owners of other Websites will not have access to this data and information. If, however, you do not agree to personalisation of the Online Shop, you may disable the Cookies in your Internet browsers.
8. Anyone using our Online Shop may choose whether and how they wish to use our services and share their data and information within a certain scope, as per this Privacy Policy.
9. Your personal data is processed by our company, the Personal Data Administrator, in order to execute sales and purchase contracts, as well as other services provided to you (i.e. persons to whom the data relates) and offered by the Online Shop. As per the rule of minimisation, we only process the categories of personal data that are considered necessary to achieve purposes specified in the previous sentence.
10. We shall process the personal data only for however long it is necessary to achieve said purposes. The personal data may be processed for a longer period of time only when the Personal Data Administrator is required by the relevant mandatory rules of law to do so, or when the provided service is continuous (e.g. newsletter subscription).
11. The source of the personal data processed by the Personal Data Administrator are the persons to whom the data relates.
12. The legal basis for the processing of your personal data is primarily:
a. art. 6 § 1 point b GDPR ie. the necessity to perform the contract to which you are a party or to act on your demand before the conclusion of the contract,
b. art. 6 § 1 point f GDPR ie. the Administrator's legitimate interest in determining, pursuing or defending claims until their statute of limitations, or until the completion of relevant proceedings, if they were initiated during this period,
c. art. 6 § 1 point a GDPR ie. Your consent to the processing of personal data for specific purposes, when other legal grounds for the processing of personal data do not apply - in the case of the newsletter service.
13. Your personal data shall not be shared with any third country, as per the GDPR.
14. No personal data is shared with any third parties without express consent of the person to whom the data relates. Personal data may be shared without the consent of the person to whom it relates only with legal public bodies, i.e. government and administrative bodies (e.g. tax offices, judicial authorities and other entities with a mandate stipulated by the relevant mandatory rules of law).
15. Personal data used in payment transactions may be transferred to PayLane available at https://paylane.com - through PayLane Sp. z o. o., with registered address at 4 Norwida Street, 80- 280 Gdansk, Poland, KRS: 0000227278 NIP (Tax Identification Number): 586-214-10-89, REGON 220010531 or PayPal available at https://paypal.com - through PayPal Polska Sp. Zoo. with its registered office at: 53 Emilii Plater Street, 00-113 Warsaw, Poland KRS: 0000289372, NIP (Tax Identification Number): 5252406419, REGON: 141108225, or Przelewy24 available at https://przelewy24.pl through PayPro SA, with registered address 15 Kancelarska Street, 60-327 Poznan, Poland, KRS: 0000347935 NIP (Tax Identification Number): 779 236 98 87, REGON 301345068 to the extent necessary to process payments for an order placed in the Online Shop. The customer has the right to access their personal data and correct them. Providing personal data is voluntary, but necessary for the purposes of using the website.
16. Personal data may be shared with entities that process the data on our request, i.e. on the request of the Personal Data Administrator. In such cases, as the Personal Data Administrator, we conclude a contract for personal data processing with such an entity. The processing entity processes the shared personal data solely for purposes specified in the aforementioned contract. Without sharing the personal data with such entities we would not be able to conduct our business activity in our Online Shop, nor deliver to you any packages with your ordered Products. As the Personal Data Administrator, we share the personal data for processing with entities:
a. providing hosting services for the Online Shop website,
b. providing postal, courier and shipping services for the ordered Products,
c. providing other services to us, the Personal Data Administrator, which are necessary for the proper functioning of the Online Shop.
17. The personal data is not profiled by the Personal Data Administrator.
18. According to the GDPR, each person whose personal data is being processed by the Personal Data Administrator as the right to:
a. be informed of the processing of their personal data, as per art. 12 of the GDPR – the Administrator is obliged to share information specified in the GDPR (incl. relating to data itself, contact details, purposes and legal basis for personal data processing, personal data recipients or categories of recipients, if any exist, or the period for which the data shall be processed or criteria, based on which such a period is set) with the person to whom the data relates; this obligation should be executed immediately at the moment when the data is first acquired (e.g. when an order is placed by a client in the online shop), and if the data is not acquired from the person to whom it relates, but from another source, then it should be executed within a reasonable time frame, depending on the circumstances; the Administrator may choose to not provide this information to the person to whom the data relates if this person has already been informed,
b. have access to their personal data, as per art. 15 of the GDPR – when providing us with your personal data, you have the right to access and review it; it does not mean, however, that you have access to all documents that contain your data, seeing as such documents may contain confidential information; you do have the right to be informed as to which of your data is being processed and how, as well as the right to receive copies of your personal data, with the first copy being issued free of charge, and for each subsequent one, according to the GDPR, we may charge a relevant administrative fee relating to the making of the copy,
c. correct or update the personal data, as per art. 16 of the GDPR – if your personal data has changed, please inform us, as the Personal Data Administrator, of this fact, so that the personal data we are holding corresponds to the actual information and is up to date; also, in situations where the personal data has not changed, but for some reason the data we hold is incorrect or has been incorrectly saved (e.g. due to an editorial mistake), please inform us of this, so that we may correct the relevant data points,
d. delete the data (the right to be forgotten), as per art. 17 of the GDPR – in other words, you have the right to demand that we “delete” the data held by us, as the Personal Data Administrator, and the right to request that we, as the Personal Data Administrator, inform other administrators we shared your data with, of your wish to have it deleted. You may request deletion of your personal data first and foremost when:
-the purposes for which the personal data had been shared have been fulfilled, e.g. we fully executed the sale contract we had concluded,
- the basis for the processing of your personal data was an express consent that was subsequently withdrawn and there is no other legal basis for us to further process your personal data, e.g. when you unsubscribe from our newsletter and do not use any of our services,
- you filed a rejection of the processing of your personal data by us, as per art. 21 of the GDPR, and believe that we have no underlying legal basis allowing us to further process your personal data,
- your personal data was being processed illegally, i.e. for purposes that were against the law or without any legal basis for its processing – please remember that in such cases you will need to provide a basis for such a request,
- the need to delete your personal data results from the mandatory rules of law,
- the personal data relates to a minor and was collected as part of an information society service,
e. limit the processing, as per art. 18 of the GDPR – you may request from our company that we limit the scope of the processing of your personal data (meaning that until the matter is clarified, we would limit ourselves to merely storing the data), if:
- you question the accuracy of your personal data, or
- you believe that we are processing your personal data without a legal basis, but simultaneously you do not want us to delete the personal data (i.e. you are not realising the aforementioned right), or
- you filed a Rejection, as per the letter f) of this point, or
- your personal data is needed to ascertain or defend against claims, e.g. before a court of law,
f. transfer the data, as per art. 20 of the GDPR – you have the right to receive your data in a format allowing you to review it on your computer and the right to transfer the data in such format to another administrator; you have this right only when the basis for the processing of your personal data was an express consent (e.g. via subscribing to the newsletter service) or the data was processed automatically,
g. file a rejection to the processing of the personal data, as per art. 21 of the GDPR – you have the right to file a rejection, if you do not agree to us processing your personal data that we had processed thus far for specific purposes, in accordance with the mandatory rules of law,
h. refuse profiling, as per art. 22, relating to art. 4.4 of the GDPR – in our Online Shop you shall not be subject to automated decision-making or profiling, as per the GDPR, unless you provide us with an express consent to do so; additionally, you shall always be informed of any instances of profiling, should they occur,
i. file a complaint to a regulatory body (i.e. to the President of the Data Protection Authority), as per art. 77 of the GDPR – if you believe we are processing your personal data illegally or in any way that violates your rights resulting from the mandatory rules of personal data protection laws.
19. In relation to the right to delete the data (the right to be forgotten), please note that, according to the GDPR, this right is not applicable, if:
a. processing your personal data is necessary in order to exercise the right to freedom of speech, e.g. if you placed your data in a blog or comments, etc.
b. processing your personal data is necessary for our company to fulfil its statutory legal duty – we cannot delete your data, as long as we are bound by exercising certain legal (e.g. tax-related) obligations.
c. processing your personal data is performed for the purposes of investigating, ascertaining or defending against claims.
20. Should you wish to exercise any of your abovementioned rights, please refer to the relevant tabs in our Online Shop that allow you to delete your account and data collected by our Online Shop or please send an e-mail to the following address: info [!at] rainbowsocks.com.
21. Each ascertained instance of security breach is documented, and should any of the events, as described by the GDPR or the Act, occur, the persons to whom the data relates, as well as the PDPA, if applicable, shall be informed of it.
22. All words that are capitalised have meanings defined in the Terms and Conditions of our Online Shop, unless stated otherwise in this Privacy Policy.
23. All matters not regulated by this Privacy Policy shall be regulated by the relevant mandatory rules of law. Should any of the provisions of this Privacy Policy not comply with the abovementioned rules of law, the rules of law shall take precedence.