Privacy policy - EMPIKFOTO.COM
 
 

PRIVACY POLICY

1. DEFINITIONS

1.1. Controller – Empik Foto Sp.z.o.o., with its registered office in Warsaw, at Marszałkowska 104/122.

1.2. Personal data – any information related to an identified or identifiable natural person; an identifiable natural person is one who can be identified by reference to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, including IP of the device, location data, online ID or information collected by cookie files or another similar technology.

1.3. Policy – this Privacy Policy.

1.4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

1.5. Website – the website run by the Controller at www.empikfoto.com.

1.6. Mobile Application – software named “Empik Foto,” available for free download onto a mobile device from Google Play store (for Android devices) and App Store (for iOS devices).

1.7. User – any natural person visiting the Website or using one or more services or functions described in the Policy.

2. DATA PROCESSING WITH RESPECT TO THE WEBSITE USE

2.1. In relation to the User’s use of the Website, the Controller collects data to the extent necessary to offer specific services, as well as information on the User’s Website activity. Detailed rules and purposes of the processing of personal data collected while the User uses the Website are provided below.

3. PURPOSE AND LEGAL BASIS OF DATA PROCESSING ON THE WEBSITE

USE OF THE WEBSITE

3.1. The personal data of individuals using the Website (incl. IP address or any other identifiers, and information collected by cookies or other similar technologies), who are not registered Users (i.e. do not have an account on the Website), are processed by the Controller:

3.1.1. to provide electronic services by offering Users access to the contents of the Website, including:

  1. a) to the extent necessary to prepare, define, alter and adequately perform the services performed online and orders placed by Users;
  2. b) to process Users’ orders for products listed on the Website;
  3. c) to process complaints submitted by Users and to make refunds in case of rescission of an agreement (return of items)

– processing is necessary for the performance of a contract (Article 6 section 1 item b) of GDPR);

3.1.2. for analytical and statistical purposes – processing is necessary for the purposes of the legitimate interests pursued by the Controller (Article 6 section 1 item f) of GDPR), consisting in analyses of Users’ activity and preferences in order to improve functionality and the quality of services;

3.1.3. for the establishment, exercise or defense of legal claims – processing is necessary for the purposes of the legitimate interests pursued by the Controller (Article 6 section 1 item f) of GDPR), consisting in the protection of its rights;

3.1.4. for marketing purposes of the Controller and its trusted partners: sending an e-mail newsletter and text (SMS) / multimedia (MMS) messages – processing is based on the User’s consent (Article 6 section 1 item a) of GDPR);

3.1.5. for the Controller’s marketing purposes, incl. presentation of offers and products available on the Website, related to the performance of services online – processing is necessary for the purposes of the legitimate interests pursued by the Controller (Article 6 section 1 item f) of GDPR).

Detailed rules on personal data processing for marketing purposes are provided in the “MARKETING” section.

3.2. The User’s Website activity, including personal details, is registered in system logs (special software to chronologically store records of events and activities related to an IT system used by the Controller to provide services). The information contained in the logs is processed primarily for purposes related to the performance of services. The Controller also processes it for technical purposes, for administrative purposes, to ensure security of the IT system, to manage the system, as well as for analytical and statistical purposes – processing is necessary for the purposes of the legitimate interests pursued by the Controller (Article 6 section 1 item f) of GDPR).

REGISTRATION ON THE WEBSITE

3.3. Individuals who wish to register on the Website are asked to provide data that is necessary to set up and manage an account. In order to facilitate services, a User may provide additional data, expressing a consent for its processing. Such data can be removed at any time. The provision of data marked as mandatory is required to open and manage an account, while failure to provide such data makes it impossible to set up an account. Other details are provided on a voluntary basis.

3.4. Personal data is processed:

3.4.1. to provide services related to the management of accounts on the Website – processing is necessary for the performance of a contract (Article 6 section 1 item b) of GDPR); with respect to optional data, processing is based on the data subject’s consent (Article 6 section 1 item a) of GDPR);

3.4.2. for analytical and statistical purposes – processing is necessary for the purposes of the legitimate interests pursued by the Controller (Article 6 section 1 item f) of GDPR), consisting in analyses of Users’ preferences, Website activity and manner of using their accounts in order to improve functionality;

3.4.3. for the establishment, exercise or defense of legal claims – processing is necessary for the purposes of the legitimate interests pursued by the Controller (Article 6 section 1 item f) of GDPR), consisting in the protection of its rights;

3.4.4. for marketing purposes of the Controller and other entities – detailed rules on personal data processing for marketing purposes are provided in the “MARKETING” section.

3.5. Users can log in to their account on the Website via social media sites (Facebook, G+). In such case, the Website will only collect data necessary for registration and account management purposes from the User’s social media profile. By changing add-on settings, the User can easily extend the scope of data collected, which might be useful for certain functions of his/her account on the Website.

3.6. The User can only put any personal data (such as full name, residence, telephone number or e-mail address) of other people on the Website if this does not violate applicable legal regulations and personal rights of such individuals.

ORDER PLACEMENT (PAID SERVICES ON THE WEBSITE)

3.7. Any order placement (purchase of goods or services) by the Website’s User leads to the processing of his/her personal data. The provision of data marked as mandatory is required to accept and process an order, while failure to provide such data means that the order will not be completed. Other details are provided on a voluntary basis.

3.8. Personal data is processed:

3.8.1. to complete an order – processing is necessary for the performance of a contract (Article 6 section 1 item b) of GDPR); with respect to optional data, processing is based on the data subject’s consent (Article 6 section 1 item a) of GDPR);

3.8.2. to perform the Controller’s legal obligations arising (in particular) from tax and accounting regulations – processing is necessary for compliance with a legal obligation (Article 6 section 1 item c) of GDPR);

3.8.3. for analytical and statistical purposes – processing is necessary for the purposes of the legitimate interests pursued by the Controller (Article 6 section 1 item f) of GDPR), consisting in analyses of Users’ shopping preferences and Website activity in order to improve functionality;

3.8.4. for the establishment, exercise or defense of legal claims – processing is necessary for the purposes of the legitimate interests pursued by the Controller (Article 6 section 1 item f) of GDPR), consisting in the protection of its rights.

CONTACT FORMS

3.9. The Controller can be contacted through online contact forms. In order to use such form, it is necessary to provide personal data which makes it possible to get in touch with and respond to the User. The User may also provide additional details to facilitate contact and handling of inquiries. The provision of data marked as mandatory is required to accept and process a query, while failure to provide such data means that the inquiry will not be handled. Other details are provided on a voluntary basis.

3.10. Personal data is processed:

3.10.1. to identify the sender and process his/her query sent through the form – processing is necessary for the performance of a contract (Article 6 section 1 item b) of GDPR);

3.10.2. for analytical and statistical purposes – processing is necessary for the purposes of the legitimate interests pursued by the Controller (Article 6 section 1 item f) of GDPR), consisting in generation of statistics of queries submitted by Users through the Website in order to improve functionality.

4. MARKETING

4.1. The Controller processes the Users’ personal details in order to conduct marketing activities that may involve:

4.1.1. displaying marketing content that is not adjusted to the User’s preferences (contextual advertising);

4.1.2. displaying marketing content that matches the User’s interests (behavioral advertising);

4.1.3. sending e-mail, SMS and MMS notifications of special offers, or messages that may contain commercial information;

4.1.4. conducting other activities related to direct marketing of goods and services (sending commercial information by electronic mail and telemarketing activities).

4.2. In order to conduct marketing activities, the Controller uses profiling in some cases. This means that owing to automatic processing of data, the Controller evaluates selected factors related to natural persons in order to analyze their behavior or make future forecasts.

CONTEXTUAL ADVERTISING

4.3. The Controller processes the Users’ personal data for marketing purposes in relation to contextual advertisements (i.e. ones that are not adapted to the User’s preferences). In such case, processing is necessary for the purposes of the legitimate interests pursued by the Controller (Article 6 section 1 item f) of GDPR).

BEHAVIORAL ADVERTISING

4.4. The Controller and its trusted partners process the Users’ personal data (incl. personal data collected through cookies and other similar technologies) for marketing purposes in relation to behavioral advertisements (i.e. ones that are adapted to the User’s preferences).

NEWSLETTER

4.5. The Controller provides newsletter services to individuals who entered their e-mail addresses specifically for that purpose, upon the conditions defined in relevant regulations. It is required to provide the data for newsletter services, while failure to do so will render it impossible to receive it.

4.6. Personal data is processed:

4.6.1. to send the newsletter that includes marketing content – processing is based on the User’s consent (Article 6 section 1 item a) of GDPR);

4.6.2. for analytical and statistical purposes – processing is necessary for the purposes of the legitimate interests pursued by the Controller (Article 6 section 1 item f) of GDPR), consisting in analyses of Users’ Website activity in order to improve functionality;

4.6.3. for the establishment, exercise or defense of legal claims – processing is necessary for the purposes of the legitimate interests pursued by the Controller (Article 6 section 1 item f) of GDPR). 

The User may unsubscribe from the newsletter at any time, contacting the Customer Service Department at [email protected] The User may also opt out of the newsletter by clicking “Unsubscribe” in any newsletter e-mail which s/he has received, or by changing relevant settings on his/her account.

DIRECT MARKETING 

4.7. The User’s personal data may also be used by the Controller to send marketing content through different channels, i.e. electronic mail or SMS/MMS. Such activities are only taken by the Controller if the User has consented to them; this consent may be withdrawn at any time.

5. SOCIAL MEDIA

5.1. The Controller processes the personal data of Users visiting the Controller’s social media profiles (Facebook, YouTube, Instagram, Twitter). This data is processed exclusively in relation to a given profile, to notify the Users of the Controller’s activity, promote various events, services and products, and communicate with users through functions available in the social media. In such case, processing is necessary for the purposes of the legitimate interests pursued by the Controller (Article 6 section 1 item f) of GDPR), consisting in the promotion of its brand, and development and maintenance of a community related to that brand.

6. MOBILE APPLICATION

6.1. The Controller also processes the Users’ personal data to enable them to use the services offered on the Website and additional services available in the Mobile Application. The Users’ data is processed for registration in the Mobile Application and it use. In this case, processing is necessary for the performance of a contract (Article 6 section 1 item b) of GDPR).

6.2. Through the Mobile Application, the User can view the Website, have access to his/her account on the Website, place orders and pay for them, read the information available in the Mobile Application and use its other functions. Given its technical limitations, the Mobile Application does not make it possible to use all functions of the Website.

7. COOKIES AND SIMILAR TECHNOLOGIIES 

7.1. Cookies are small text files placed on the device of the User visiting the Website. Cookies collect information that enhances the Website’s user experience, e.g. by remembering the User’s visits and activities. Cookies are placed on the User’s device (computer, smartphone, tablet, etc.). They make it possible e.g. to remember login data, thanks to which the User does not have to type the login and password every single time. Cookies also remember the products added to the cart and personalize the Website content to the User. They also enable the collection of the Website’s statistical data, which allows us to modify the Website in line with our clients’ preferences.

7.2. If the User does not consent for cookies to be stored on his/her device, s/he should configure browser settings accordingly or delete cookies after each visit to the Website. It is necessary to keep in mind that disabling or limiting cookies might affect the Website functionality.

7.3. In order to enable cookies, one should express a consent at the bottom of the page.

7.4. The Website collects geolocation data, i.e. the Controller checks the location (continent, country, province and town) from which the User places an order.

WEBSITE-RELATED COOKIES

7.5. The Controller uses cookies predominantly in order to provide the User with online services and enhance their quality. Thus, the Controller and other entities performing analytical and statistical services for the Controller use cookies, storing information or gaining access to information that is already stored on the User’s device (computer, smartphone, tablet, etc.). The following types of cookies are used for that purpose:

7.5.1. user input cookies (session ID) for the duration of a session;

7.5.2. authentication cookies for services that require authentication, for the duration of a session;

7.5.3. user-centric security cookies, e.g. to detect any authentication fraud;

7.5.4. multimedia player session cookies (e.g. Flash Player cookies) for the duration of a session;

7.5.5. user interface customization cookies for the duration of a session or a little longer;

7.5.6. cookies used for monitoring website traffic, i.e. data analytics, incl. Google Analytics cookies (files used by Google to analyze how the User navigates the Website, and generate statistics and reports related to the Website). Google does not use the collected data to identify the User, nor does it combine this information to enable identification. Detailed information on the scope and rules of data processing with respect to this service is available at: https://www.google.com/intl/pl/policies/privacy/partners.

MARKETING COOKIES

7.6. The Controller and its trusted partners also use cookies for marketing purposes, incl. behavioral advertising. Hence, the Controller and its trusted partners store or gain access to information that is already stored on the User’s device (computer, smartphone, tablet, etc.). It is required to obtain the User’s consent for the use of cookies and personal data collected through cookies for marketing purposes, especially with respect to the promotion of third-party goods and services. Such consent can be withdrawn at any time. The withdrawal of the consent shall not affect the lawfulness of processing based on the consent before its withdrawal. 

8. TERM OF DATA PROCESSING 

8.1. The term of data processing by the Controller depends on the type of services and the purpose of processing. As a general rule, personal data shall be processed for the duration of service performance or order processing, until:

8.1.1. completion of the agreement;

8.1.2. withdrawal of a consent (if the User’s consent serves as the legal basis for data processing); or

8.1.3. submission of an effective objection to data processing (in case the Controller’s legitimate interests serve as the legal basis for data processing).

8.2. The data processing term may be extended in case processing is necessary to establish and pursue any claims or defend them, and afterwards only in case and to the extent required by applicable law. After the end of the processing term, the data is irreversibly destroyed or anonymized.

9. USER'S RIGHTS

9.1. The User shall have the right to access to and rectification or erasure of personal data or restriction of processing, the right to data portability, the right to object to processing, and the right to lodge a complaint with a supervisory authority.

9.2. To the extent the User’s data is processed on the basis of a consent, the User can withdraw it at any time, contacting the Controller or using the features available on the Website, incl. by e-mail: [email protected]

9.3. The User shall be entitled to object to the processing of personal data for marketing purposes if the processing takes place in relation to the Controller’s legitimate interests, and – on grounds related to his/her particular situation – in other cases when processing is based on the Controller’s legitimate interests (e.g. in regard to analytical or statistical purposes).

10. DATA RECIPIENTS

10.1. In relation to the provision of services, personal data will be disclosed to external entities, especially providers responsible for IT systems, banks, payment processors, accounting firms, couriers (delivery of orders), marketing agencies (marketing services) and the Controller’s affiliated entities, incl. companies from its capital group.

10.2. In case the User’s consent has been obtained, his/her personal data might also be given to other entities for their own purposes, incl. marketing ones.

10.3. The Controller reserves the right to disclose selected information about the User to competent authorities or third parties that submit a request for such information on a valid legal basis and in accordance with applicable law.

11. TRANSFER OF DATA OUTSIDE EEA

11.1. The level of personal data protection outside the European Economic Area (EEA) differs from the one offered by the EU law. For that reason, the Controller only transfers personal data outside EEA when it is necessary and with an adequate level of protection, including the following in particular:

11.1.1. cooperation with entities processing personal data in countries with respect to which a relevant decision of the European Commission has been issued;

11.1.2. use of standard contractual clauses developed by the European Commission;

11.1.3. application of binding corporate rules approved by a competent supervisory authority;

11.1.4. in case of transfer to the USA: cooperation with entities participating in the Privacy Shield program, approved in a relevant decision of the European Commission.

11.2. The Controller shall always notify Users, at the data collection stage, of its intention to transfer their personal data outside the EEA. 

12. SECURITY OF PERSONAL DATA

12.1. The Controller shall ensure security of the personal data through appropriate technical and organizational measures aimed at preventing unlawful processing of data, its accidental loss, destruction or damage. Moreover, the Controller shall exercise due diligence to make sure that the personal data is:

12.1.1. accurate and lawfully processed;

12.1.2. collected for specified purposes and not further processed in a manner that is incompatible with those purposes;

12.1.3. adequate, relevant and limited to what is necessary in relation to the purposes;

12.1.4. precise and up to date;

12.1.5. not stored for longer than necessary;

12.1.6. stored in a secure manner;

12.1.7. not transferred to countries outside the European Economic Area without sufficient protection.

12.2. In order to better protect the User’s account, it is recommended:

12.2.1. to use a complex password that prevents third persons from guessing it easily. The password should contain at least 8 characters, including uppercase letters, lowercase letters, digits and special characters;

12.2.2. to keep the login and password secret, especially not to disclose them to any third persons;

12.2.3. to log out of the Website after each session (completed purchases, forum posts, etc.). Closing a browser window is not enough to log out of empikfoto.pl. In order to do so, one needs to click the “Logout” button in the right upper corner of the page;

12.2.4. to use anti-virus software, incl. regular scanning to detect viruses;

12.2.5. to use the Website on trusted computers on which reliable software has been installed. Using computers belonging to others entails the risk of interception of the login, password and other data provided by the User;

12.2.6. not to remember input data and clean browsing history – if the User accesses the Website from someone else’s computer (e.g. in an Internet café).

12.3. The Controller runs an ongoing risk analysis in order to make sure that personal data is processed in a safe manner, and access to data is only provided to authorized individuals to the extent necessary in connection with their tasks. The Controller shall make sure that all personal data operations are registered and made by authorized employees and associates only.

12.4. The Controller shall take all necessary actions to ensure that its subcontractors and other cooperating entities undertake to use adequate security measures any time they process personal data upon the Controller’s request.

13. CONTACT DETAILS

13.1. The Controller can be contacted by e-mail: [email protected], or by regular mail:

Empik Foto Sp. z .o.o

Marszałkowska 104/122

00-017 Warsaw

13.2. The Controller has designated a Data Protection Officer who can be contacted by e-mail: [email protected] in any case related to personal data processing.

14. AMENDMENTS TO PRIVACY POLICY

14.1. The Policy is reviewed and updated (if necessary) on an ongoing basis.