This document constitutes information of the personal data controller drawn up on the basis of art. 13 sec. 1 and 2 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as well as repealing Directive 95/46 /EC (GDPR).

  1. Personal data controller
    1. The controller of personal data within the meaning of art. 4 point 7 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as well as repealing Directive 95/46 /EC (GDPR) is Centrum Doradztwa Prawnego i Szkoleń Spółka z ograniczoną odpowiedzialnością (LLC) with its registered office in Krakow at ul. Kącik 3D, 30-702 Cracow, entered into the Register of Entrepreneurs of the National Court Register by the District Court for Cracow-Śródmieście in Cracow, 11th Commercial Division of the National Court Register under KRS number: 0000455477, NIP: 9930652049, REGON: 122806823, share capital PLN 50,000.
    2. Contact details of the data controller:
      1. phone number: +48 690 233 244,
      2. e-mail address: biuro@kancelariacentrum.pl.
    3. The data controller undertakes to maintain secrecy related to personal data as well as their proper protection. The controller in accordance with art. 32 sec. 1 of the GDPR complies with the rules on the protection of personal data and applies appropriate technical and organizational measures to prevent accidental or unlawful destruction, loss, modification, unauthorized disclosure, or unauthorized access to personal data processed in respect of the business.
    4. Providing personal data is voluntary, however, necessary to establish cooperation and/or conclude a contract with the data controller.
    5. In the event that the provision of personal data takes place in order to transfer the client's personal data to Twisto Polska sp. z o.o. (LLC) prior to concluding a contract for the provision of services, the provision of such data is a condition for concluding a contract in connection with the business model adopted by the data controller.
    6. In the event of a transfer of personal data to ING Bank Śląski S.A. (henceforth 'Bank') in connection with the handling and settlement of payments made to the data controller via the Internet by means of payment instruments, the provision of data is required in order to make the payment and provide the payment’s confirmation by the Bank to the data controller.
    7. In the event of personal data being transferred to the Bank for the purpose of verification by the Bank of the proper performance of contracts concluded with the controller, in particular, to ensure the protection of the interests of payers in connection with their complaints, the provision of this data is required to enable the performance of the contract concluded between the data controller and the Bank.
    8. In the event of a transfer of personal data to Twisto Polska sp. z o.o. (LLC) in connection with the possibility of offering the client the payment of the price for the service by Twisto Polska sp. z o.o. (LLC) as part of a mandate contract covering the 'Buy with Twisto' purchasing formula and making this formula available by the data controller, the provision of this data and its processing for this purpose is required in connection with the model of running a business adopted by the data controller and in order to implement the contract concluded between the data controller and Twisto Polska Sp. z o.o.
    9. The data controller processes personal data only to the extent necessary for the proper provision of services or for taking steps at the request of the data subject.
  2. The purpose and grounds for the processing of personal data

    The controller processes personal data for the following purposes:

    1. the preparation of a commercial offer in response to the client's interest, which is the legitimate interest of the data controller (Article 6 (1) (f) of the GDPR);
    2. the provision of electronic services via the Website, on the basis of the concluded contract (Article 6 (1) (b) of the GDPR);
    3. the handling of the complaint process, based on the obligation of the data controller in connection with applicable law (Article 6 (1) (c) of the GDPR);
    4. the accounting related to issuing and accepting settlement documents, pursuant to the provisions of tax law (Article 6 (1) (c) of the GDPR);
    5. the archiving of data for possible determination, investigation, or defense against claims, or the need to demonstrate facts, which is the legitimate interest of the data controller (Article 6 (1) (f) of the GDPR)
    6. contacting by phone or via e-mail, in particular in response to inquiries directed at the data controller, which is the legitimate interest of the data controller (Article 6 (1) (f) of the GDPR);
    7. the sending of technical information regarding the functioning of the Website and services used by the client, which is the legitimate interest of the data controller (Article 6 (1) (f) of the GDPR);
    8. the marketing of the data controller's own products, which is their legitimate interest (Article 6 (1) (f) of the GDPR) or based on prior consent (Article 6 (1) (a) of the GDPR);
    9. the transfer of personal data to ING Bank Śląski S.A. (henceforth 'Bank') in connection with:
      • provision by the Bank to the Online Store of the service of providing infrastructure for handling payments via the Internet (legal basis: Article 6 (1) (f) of the GDPR);
      • service and settlement by the Bank of payments made by clients of the Online Store via the Internet by means of payment instruments (legal basis: Article 6 (1) (f) of the GDPR);
      • verification by the Bank of the proper performance of contracts concluded with the Online Store, in particular to ensure the protection of payers' interests in connection with their complaints (legal basis: Article 6 (1) (f) of the GDPR);
    10. the transfer of personal data to Twisto Polska sp. z o.o. (LLC) in connection with the possibility of offering payment for the purchased goods or service by Twisto Polska sp. z o.o. (LLC) under the mandate contract covering the 'Buy with Twisto' purchasing formula and making this purchasing formula available through the Online Store, as well as for verification by Twisto Polska Sp. z o.o. (LLC) the proper performance of such mandate contracts (legal basis: Article 6 (1) (f) of the GDPR).
  3. Data recipients. Data transfer to third countries
    1. The recipients of personal data processed by the data controller may be entities cooperating with the data controller when it is necessary for the performance of the contract concluded with the data subject.
    2. W związku z przetwarzaniem danych osobowych w celach określonych w roz. II lit. i) i j), dane osobowe mogą zostać udostępnione przez Sklep internetowy innym odbiorcom lub kategoriom odbiorców danych osobowych, którymi mogą być:
      1. ING Bank Śląski S.A.
      2. Twisto Polska Sp. z o.o.
    3. The recipients of personal data processed by the data controller may also be subcontractors - entities whose services are used by the data controller when processing data, e.g., accounting offices, law firms, entities providing IT services (including hosting services).
    4. The data controller may be required to provide personal data on the basis of applicable law, in particular to disclose personal data to authorized bodies or government institutions.
    5. Personal data will not be transferred to entities based outside the European Economic Area.
  4. Period of storage of personal data
    1. The data controller stores personal data for the duration of the contract concluded with the data subject and after its termination for purposes related to the pursuit of claims related to the contract, performance of obligations under applicable law, but for no longer than the limitation period in accordance with the provisions of the Civil Code.
    2. The data controller stores personal data on settlement documents (e.g., invoices) for the period of time specified by the provisions of the taxation of goods and services act (VAT Act) and the Accounting Act.
    3. The data controller stores personal data processed for marketing purposes for a period of 10 years, but no longer than until the consent to data processing is withdrawn or an objection to data processing is raised.
    4. The data controller stores personal data for purposes other than those indicated in paragraph 1-3 for a period of 3 years, unless the consent to data processing has been withdrawn earlier and the data processing may not be continued on a basis other than the consent of the data subject.
  5. The rights of the data subject
    1. Each data subject has the right to:
      1. access - obtain confirmation from the controller whether or not their personal data is being processed. If data about a person is processed, they are entitled to access it and obtain the information regarding: the purposes of processing, categories of personal data, information about recipients or categories of recipients to whom the data has been or will be disclosed, the period of data storage or about the criteria determining the right to request rectification, deletion or limitation of the processing of personal data due to the data subject, and objection to such processing (Article 15 of the GDPR);
      2. receive a copy of the data - obtain a copy of the data that is subject to processing, the first copy being free of charge, with the controller potentially charging a reasonable fee for subsequent copies resulting from administrative costs (Article 15 (3) of the GDPR);
      3. rectify - request rectification of incorrect personal data concerning the data subject or supplementing incomplete data (Article 16 of the GDPR);
      4. delete data - request to delete their personal data, if the controller no longer has a legal basis for their processing or the data is no longer necessary for the purposes of processing (Article 17 of the GDPR);
      5. limit processing - request to limit the processing of personal data (Article 18 of the GDPR), when:
        • the data subject contests the accuracy of the personal data - for a period enabling the controller to verify the accuracy of the data,
        • the processing is unlawful, and the data subject opposes their removal, requesting the restriction of their use
        • the controller no longer needs this data, but it is needed by the data subject to establish, assert, or defend claims,
        • the data subject has objected to the processing - pending the verification whether the legitimate grounds of the controller override those of the data subject;
      6. transfer data – receive the personal data of the data subject in a structured, commonly used machine-readable format, which they have provided to the controller, and request that this data be sent to another controller, if the data is processed on the basis of the consent of the data subject or a contract concluded with them and if the data is processed in an automated manner (Article 20 of the GDPR);
      7. object - oppose to the processing of the data subject's personal data for the legitimate purposes of the controller, for reasons related to their particular situation, including profiling. In which event the controller assesses the existence of valid, legitimate grounds for processing that override the interests, rights, and freedoms of data subjects, or the grounds for establishing, investigating, or defending claims. If, according to the assessment, the interests of the data subject are more important than those of the controller, the controller will be obliged to stop processing the data for these purposes (Article 21 of the GDPR).
    2. In order to exercise the aforementioned rights, the data subject should contact the controller using the contact details provided and inform which right they wish to exercise and to what extent.
    3. The data subject has the right to file a complaint with the supervisory authority, which is the President of the Office for Personal Data Protection in Warsaw
  6. Automated decision-making. Profiling

    Personal data will not be processed automatically, which includes the process of profiling