Privacy Policy of the Online Store 

shop.camerimage.pl

 

  1. GENERAL PROVISIONS
  2. The administrator of personal data collected through the website https://shop.camerimage.pl is: Fundacja Tumult, place of business: Fundacja Tumult, ul. Rynek Nowomiejski 28, 87-100 Toruń, address for service: ul. Rynek Nowomiejski 28, 87-100 Toruń, Tax ID (NIP): 9560008579, REGON: 001382587, email address: [email protected], hereinafter referred to as the “Administrator”.
  3. Personal data collected by the Administrator through the website are processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), hereinafter referred to as GDPR, and the personal data protection act of 10th May 2018.

 

  1. TYPE OF PROCESSED PERSONAL DATA, PURPOSE AND SCOPE OF DATA COLLECTION
  1. PURPOSE AND LEGAL BASIS OF PROCESSING. The Administrator processes personal data via the website https://shop.camerimage.pl in case of:
  1. Placing an order in the Online Store, for the purpose of executing a sales contract. Legal basis: necessity to perform a sales contract (Art. 6 (1) (b) GDPR);
  2. Registering an account in the Online Store, to create an individual account and manage this account. Legal basis: necessity to provide an Account service (Art. 6 (1) (b) GDPR);
  3. Using the contact form by the user. Personal data is processed based on Art. 6 (1) (f) GDPR as the legitimate interest of the Administrator.
  4. Using the “ask about a product” service, and/or “notify about availability” service to execute a contract, the subject of which is a service provided electronically. Legal basis: necessity to provide the “ask about a product” and/or “notify about availability” service (Art. 6 (1) (b) GDPR);
  5. Subscribing to the Newsletter to receive commercial information electronically. Personal data is processed after obtaining separate consent, based on Art. 6 (1) (a) GDPR.
  1. TYPE OF PROCESSED PERSONAL DATA. The Administrator processes the following categories of user personal data:
  1. First and last name,
  2. Email address,
  3. Phone number,
  1. PERSONAL DATA RETENTION PERIOD. User’s personal data is stored by the Administrator:
  1. If the basis for processing data is the performance of a contract, as long as it is necessary to perform the contract, and thereafter for a period corresponding to the statute of limitations for claims. Unless a specific provision provides otherwise, the limitation period is six years, and for claims for periodic benefits and claims related to business activities – three years.
  2. If the basis for processing data is a consent, as long as the consent is not revoked, and after the revocation of consent for a period corresponding to the statute of limitations for claims that the Administrator may raise and which may be raised against him. Unless a specific provision provides otherwise, the limitation period is six years, and for claims for periodic benefits and claims related to business activities – three years.
  1. When using the website, additional information may be collected, in particular: the IP address assigned to the user’s computer or the external IP address of the Internet provider, domain name, type of browser, access time, operating system type.
  2. Navigation data may also be collected from users, including information about links and references that they decide to click on or other actions taken on the website. The legal basis for such activities is the legitimate interest of the Administrator (Art. 6 (1) (f) GDPR), which consists of facilitating the use of services provided electronically and improving the functionality of these services.
  3. Providing personal data by the user is voluntary.
  4. Personal data will also be processed automatically in the form of profiling if the user consents to it based on Art. 6 (1) (a) GDPR. The consequence of profiling will be assigning a profile to a person to make decisions about her or analyzing or predicting her preferences, behaviors, and attitudes.
  5. The Administrator takes special care to protect the interests of the data subjects, and in particular ensures that the data he collects are:
  6. Processed in accordance with the law,
  7. Collected for specified, lawful purposes and not subjected to further processing inconsistent with those purposes,
  8. Factually correct and adequate in relation to the purposes for which they are processed and stored in a form that allows identification of the persons to whom they relate, no longer than is necessary to achieve the purpose of the processing.

III. DISCLOSURE OF PERSONAL DATA

  1. Users’ personal data is transferred to service providers used by the Administrator when running the website. Service providers to whom personal data is transferred, depending on contractual arrangements and circumstances, either follow the Administrator’s instructions regarding the purposes and methods of processing these data (processors) or independently determine the purposes and methods of their processing (controllers).
  2. Users’ personal data is stored exclusively within the European Economic Area (EEA).
  3. In the case of making a purchase in the Online Store, personal data may be transferred, depending on the Customer’s choice, to the following entities for the delivery of ordered goods: Courier company;
  4. InPost Paczkomaty Sp. z o.o. based in Kraków, providing delivery services and the postal locker system (Paczkomaty);
  5. Poczta Polska S.A. based in Warsaw;
  6. Ruch S.A. based in Warsaw, providing delivery services at sales points;
  7. DHL Parcel Polska Sp. z o.o. based in Warsaw,
  8. In the event that the Client chooses payment through the PayU system or Visa Checkout, their personal data are transferred to the extent necessary for the execution of the payment to PayU S.A., located in Poznań (60-166) at Grunwaldzka 182, registered in the business register maintained by the Poznań – Nowe Miasto and Wilda District Court in Poznań, 8th Commercial Department of the National Court Register under the number KRS 0000274399.
  9. If the Client chooses the payment method “PayU Pay Later”, their personal data are transferred to the extent necessary for the execution of the payment to PayU S.A. and also to the Seller’s lending partner, namely Twisto Polska sp. z o.o., located in Warsaw (02-566) at Puławska 2, registered in the business register maintained by the District Court for the capital city of Warsaw in Warsaw, 13th Commercial Department of the National Court Register under the number KRS 0000689624 and ING Bank Śląski S.A., located in Katowice (40-086) at Sokolska 34, registered in the business register maintained by the Katowice – East District Court in Katowice, 8th Commercial Department of the National Court Register under the number KRS 0000005459.

 

  1. RIGHT TO CONTROL, ACCESS TO PERSONAL DATA CONTENT, AND CORRECTION

 

  1. The individual to whom the data pertains has the right to access their personal data content and the right to correct, delete, restrict processing, data portability, the right to object, and the right to withdraw consent at any time without affecting the legality of processing based on consent before its withdrawal.
  2. Legal bases for user requests:

 

  1. Access to Data – Article 15 of the GDPR

The Customer has the right to obtain confirmation from the Controller whether personal data concerning them is being processed. If such processing takes place, the Customer has the right to:

  1. Access their personal data.
  2. Receive information about the purposes of processing, categories of personal data processed, recipients or categories of recipients of these data, the intended retention period of the Customer’s data or the criteria for determining this period (when specifying the intended period of data processing is not possible), the rights of the Customer under the GDPR, and the right to lodge a complaint with the supervisory authority, the source of these data, and the safeguards used in connection with the transfer of these data outside the European Union.
  3. Obtain a copy of their personal data.

 

  1. Data Rectification – Article 16 of the GDPR

The Customer has the right to request the Controller to promptly rectify their inaccurate personal data. Considering the purposes of processing, the Customer whose data is concerned has the right to request the completion of incomplete personal data, including by providing an additional statement, by sending the request to the email address [email protected].

  1. Erasure of Data (Right to be Forgotten) – Article 17 of the GDPR. The Customer has the right to request the erasure of all or some of their personal data.
  2. a) The Customer has the right to request the erasure of personal data if:
  3. the personal data is no longer necessary for the purposes for which it was collected or processed;
  4. the Customer withdraws specific consent to the extent that personal data was processed based on their consent;
  5. they object to the use of their data for marketing purposes;
  6. the personal data is processed unlawfully;
  7. the personal data must be deleted to comply with a legal obligation;
  8. the personal data was collected in connection with offering information society services.
  9. b) Despite the request for erasure of personal data, due to objection or withdrawal of consent, the Controller may retain certain personal data to the extent necessary for the establishment, exercise, or defence of legal claims, as well as to fulfil a legal obligation. This applies especially to personal data including: first name, last name, email address, which is retained for the purpose of handling complaints and claims related to the use of the Controller’s services, or additionally, the residential/correspondence address, order number, which is retained for the purpose of handling complaints and claims related to concluded sales agreements or service provision.
  10. Despite the request for erasure of personal data, due to objection or withdrawal of consent, the Controller may retain certain personal data to the extent necessary for the establishment, exercise, or defence of legal claims, as well as to fulfil a legal obligation. This applies especially to personal data including: first name, last name, email address, which is retained for the purpose of handling complaints and claims related to the use of the Controller’s services, or additionally, the residential/correspondence address, order number, which is retained for the purpose of handling complaints and claims related to concluded sales agreements or service provision.
  11. Restriction of Processing – Article 18 of the GDPR
  12. a) The Customer has the right to request the restriction of processing of their personal data. Submitting a request, until its resolution, prevents the use of specific functionalities or services that involve the processing of the data covered by the request. The Controller will also not send any messages, including marketing ones.
  13. b) The Customer has the right to request the restriction of the use of personal data in the following cases:
  14. when they contest the accuracy of their personal data – in this case, the Controller restricts their use for the time necessary to verify the accuracy of the data, but no longer than 7 days;
  15. when the processing of data is unlawful, and instead of deleting the data, the Customer demands restriction of their use;
  16. when personal data is no longer necessary for the purposes for which it was collected or used, but the Customer needs it to establish, exercise, or defend legal claims;
  17. when they object to the use of their data – in this case, the restriction occurs for the time necessary to consider whether, due to the Customer’s specific situation, the protection of their interests, rights, and freedoms outweighs the interests pursued by the Controller by processing the Customer’s personal data.
  18. Data Portability – Article 20 of the GDPR. The Customer has the right to receive their personal data that they provided to the Controller and then transmit it to another data controller chosen by them. The Customer also has the right to request that the personal data be transmitted by the Controller directly to such a data controller, if it is technically feasible. In this case, the Controller will send the Customer’s personal data in the form of an XML file, which is a commonly used machine-readable format and allows for the transmission of received data to another data controller.
  19. Objection – Article 21 of the GDPR
  20. a) The Customer has the right to object at any time, for reasons related to their particular situation, to the processing of their personal data if the Controller processes their data based on a legitimate interest, e.g., marketing of the Controller’s products and services, conducting statistics on the use of individual functionalities of the Online Store, facilitating the use of the Online Store, as well as satisfaction surveys.
  21. b) Opting out of receiving marketing communications about products or services via email will constitute the Customer’s objection to the processing of their personal data for these purposes.
  22. b) If the Customer’s objection is justified and the Controller has no other legal basis for processing personal data, the Customer’s personal data will be deleted for which the Customer has raised an objection.
  23. Withdrawal of Consent – Article 7(3) of the GDPR. The Customer has the right to withdraw any consent given.
  24. a) The withdrawal of consent has an effect from the moment of withdrawal.
  25. b) The withdrawal of consent does not affect processing carried out by the Controller in accordance with the law prior to its withdrawal.
  26. c) The withdrawal of consent does not entail any negative consequences for the Customer, but it may prevent further use of services or functionalities that the Controller may provide only with consent according to the law.

 

  1. To exercise the rights referred to in point 2, one can send an appropriate email to the address: [email protected].
  2. When a user exercises any of the rights mentioned above, the Administrator will either comply with the request or deny it promptly, no later than within one month of receiving it. However, if – due to the complex nature of the request or the number of requests – the Administrator cannot fulfil the request within a month, they will do so within the next two months, notifying the user in advance within a month from receiving the request about the intended extension of the deadline and its reasons.
  3. If it is determined that the processing of personal data violates the GDPR regulations, the person to whom the data relates has the right to lodge a complaint with the President of the Personal Data Protection Office.

 

  1. COOKIES

 

  1. The Administrator’s site uses “cookies”.
  2. Installing “cookies” is necessary for the proper provision of services on the website. “Cookies” contain information essential for the proper functioning of the website and also allow the compilation of general visit statistics for the website.
  3. The site uses two types of “cookies”: session and persistent.
  4. “Session” cookies are temporary files stored on the user’s terminal device until logging out (leaving the website).
  5. “Persistent” cookies are stored on the user’s terminal device for the period specified in the cookie parameters or until removed by the user.
  6. The Administrator uses their own cookies to better understand user interaction with the site content. These files gather information about how the user uses the website, the type of page from which the user was redirected, and the number of visits and time of the user’s visit to the website. This information does not record the user’s specific personal data but serves to compile website usage statistics.
  7. Users have the right to decide on the access of “cookies” to their computer by previously selecting them in their browser window. Detailed information about the possibilities and ways of handling “cookies” is available in the software settings (web browser).

 

  1. SECURITY MANAGEMENT – PASSWORD
  2. The Administrator provides clients with a secure and encrypted connection during personal data transfer and when logging into the Customer Account on the Service. The Administrator uses an SSL certificate issued by one of the world’s leading companies in internet data security and encryption.
  3. In the event that a client with an account in the Online Store loses their access password in any way, the Online Store enables the generation of a new password. The Administrator does not send password reminders. The password is stored encrypted, making it unreadable. To generate a new password, one should provide the email address in the form available under the “Forgot Password” link, provided next to the account login form in the Online Store. The client will receive an email to the address provided during registration or saved in the last profile change, containing a link to a dedicated form on the Online Store’s website, where the client can set a new password.
  4. The Administrator never sends any correspondence, including emails, asking for login details, especially the client’s account access password.

 

VII. FINAL PROVISIONS

  1. The Administrator applies technical and organizational measures ensuring the protection of processed personal data appropriate to the threats and category of data under protection, and in particular, secures data against disclosure to unauthorized persons, theft by an unauthorized person, processing in violation of applicable regulations, and alteration, loss, damage, or destruction.
  2. The Administrator provides appropriate technical means to prevent unauthorized persons from acquiring and modifying personal data transmitted electronically.
  3. In matters not regulated by this Privacy Policy, the GDPR provisions and other relevant Polish law regulations are applied accordingly.
Facebook Instagram Envelope

Social Media

View Cart Checkout Continue Shopping