I. Data Controller

  1. A Controller of personal data pursuant to Article 4 point 7 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27.04.2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) is Ewelina Ostafin, running an economic activity under the company XYLON Ewelina Ostafin, ul. Św. Brata Alberta 5a, 41-407 Imielin, NIP [Tax ID No]: 6462552139, REGON [Statistical ID No]: 242797710.

  2. E-mail address of the Data Controllerinfo@xylon.pl.

  3. The Data Controller, in accordance with Article 32(1) GDPR, observes the principles of personal data protection and applies appropriate technical and organizational measures to prevent accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data processed in connection with the conducted activity.

  4. Providing personal data by the Customer is voluntary, but necessary to conclude an agreement with the Data Controller.

  5. The Data Controller processes the personal data to the extent necessary to perform the Contract or provide services to the data subject.

II. Purpose and grounds for processing personal data

The Data Controller processes the personal data for the following purposes:

  1. Preparation of a commercial offer in response to the Customer’s interest, which is a legitimate interest of the Data Controller (Article 6(1)(f) GDPR);

  2. Conclusion and implementation of Sales Contracts with Customers, based on the concluded agreement (Article 6(1)(b) GDPR);

  3. Providing services by electronic means through the Online Store, based on the concluded agreement (Article 6(1)(b) GDPR);

  4. Handling the complaint process, based on the obligation imposed on the Controller in connection with the applicable law (Article 6(1)(c) GDPR);

  5. Accounting purposes related to the issue and acceptance of settlement documents, pursuant to the provisions of tax law (Article 6(1)(c) GDPR);

  6. Archiving of data for the potential establishment, investigation or defense of claims or the need to prove facts, which is a legitimate interest of the Data Controller (Article 6(1)(f) GDPR);

  7. Contact by phone or e-mail, in particular in response to inquiries addressed to the Data Controller, which is a legitimate interest of the Data Controller (Article 6(1)(f) GDPR);

  8. Sending technical information concerning the functioning of the On-line store and services used by the customer, which is a legitimate interest of the Data Controller (Article 6(1)(f) GDPR);

  9. Marketing the Data Controller’s own products, which is their legitimate interest (Article 6(1)(f) GDPR) or is based on prior consent (Article 6(1)(a) GDPR).

III. Data Recipients Transfer of data to third countries

  1. The Recipients of personal data processed by the Data Controller may be entities cooperating with the Data Controller when it is necessary to perform the contract concluded with the data subject.

  2. The Recipients of personal data processed by the Data Controller may also be subcontractors - entities whose services are used by the Data Controller for data processing e.g. accountancy offices, law firms, entities providing IT services (including hosting services).

  3. The Data Controller may be obliged to make personal data available on the basis of applicable law regulations, in particular to make personal data available to authorized state bodies or institutions.

  4. Personal data will not be transferred to any entity based outside the European Economic Area.

IV. Period of storage of personal data

  1. The Data Controller stores personal data for the duration of the Contract concluded with the data subject and after its termination for the purposes of pursuing claims related to the Contract, fulfilling the obligations arising from the applicable laws, but for no longer than the period of limitation under the Polish Civil Code.

  2. The Data Controller stores the personal data included in the billing documents for the period indicated by the provisions of the Act on Goods and Services Tax and the Accounting Act.

  3. The Data Controller stores the personal data processed for marketing purposes for a period of 10 years, however, not longer than until the withdrawal of consent for the processing of the data or until the objection to the processing of the data is raised.

  4. The Data Controller stores personal data for purposes other than those indicated in paragraphs 1-3 for a period of 3 years, unless consent to the processing of the data has been previously withdrawn and the processing of the data cannot be continued on any other basis than the consent of the data subject.

V. Rights of the data subject

1. Every data subject has the following rights:

  1. to access - obtain confirmation from the Data Controller whether their personal data are being processed. If the data about a person is processed, they are entitled to access it and obtain the following information: about the purposes of processing, categories of personal data, information about the recipients or categories of recipients to whom the data have been or will be disclosed, about the period of storage of the data or about the criteria for their determination, about the right to request the rectification, erasure or restriction of the processing of personal data to which the data subject is entitled and to object to such processing (Article 15 GDPR);

  2. to obtain a copy of the data - to obtain a copy of the data that is subject to processing, the first copy is free of charge, and for subsequent copies the Data Controller may charge a reasonable fee resulting from the administrative costs (Article 15(3) GDPR);

  3. to be rectified - to request the rectification of personal data that are incorrect or to supplement any incomplete data (Article 16 GDPR);

  4. to be deleted - to request the deletion of personal data if the Data Controller no longer has a legal basis for its processing or the data are no longer necessary for the purposes of processing (Article 17 GDPR);

  5. to restrict the processing - to demand restriction of the processing of personal data (Article 18 GDPR), when:
    - The data subject contests the accuracy of the personal data - for a period enabling the Data Controller to verify the accuracy of the data,
    - The processing is unlawful and the data subject opposes erasure of personal data by requesting a restriction on its use,
    - The Data Controller no longer needs the data, but the data subject needs the data in order to establish, pursue or defend their claims,
    - The data subject has objected to the processing - until it has been established whether the Data Controller’s legitimate grounds for objection prevail over those of the data subject;

  1. to transfer the data - receiving, in a structured, commonly used machine-readable format, personal data that the data subject has provided to the Data Controller, and requesting that the data be sent to another Data Controller, if the data are processed on the basis of the data subject’s consent or a concluded agreement, and if the data are processed in an automated way (Article 20 GDPR);

  2. to object - to object to the processing of personal data for the legitimate purposes of the Data Controller, for reasons related to their particular situation, including profiling. The Data Controller will then evaluate the existence of valid legal grounds for processing, overriding the interests, rights and freedoms of data subjects or grounds for establishing, pursuing or defending claims. If, according to the assessment, the interests of the data subject take precedence over the interests of the Data Controller, the Data Controller will be obliged to stop processing the data for these purposes (Article 21 GDPR).

  1. In order to exercise the aforementioned rights, the data subject should contact the Data Controller using the contact details provided and inform them which right they want to exercise and to what extent.

  2. The data subject has the right to lodge a complaint with the supervisory authority, which is the President of the Office for Personal Data Protection in Warsaw.

VI. Profiling

Personal data obtained by the Data Controller will not be processed automatically, including through profiling.