PERSONAL DATA PROTECTION POLICY

I. Personal data controller

1. The administrator of personal data within the meaning of art. 4 point 7 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27/04/2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (GDPR) is Monika Pełka who performs economic activitynamed MOMA Monika Pełka at ul. Dębowa 1, 42-120 Miedźno, NIP: 574 196 75 19, REGON: 384 318 807.
2. E-mail address of the data administrator: kontakt@momapracownia.pl
3. The administrator, pursuant to art. 32 sec. 1 GDPR complies with the principle of personal data protection and applies appropriate technical and organizational measures to prevent accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data processed in connection with the business.
4. Providing personal data by the Customer is voluntary, but necessary to conclude a contract with the data administrator.
5. The data administrator processes personal data, in particular in the form of identification data (first and last name and company name), address data, tax identification number and other registration numbers, contact details (telephone number) and identification data of persons indicated for contact by the Customer.

II. Purpose and grounds for processing personal data

The administrator processes personal data for the following purposes:

a) preparing a commercial offer or an agreement and conducting consultations in response to the client’s interest, which is the legitimate interest of the data controller (Article 6 (1) (f) of the GDPR);
b) concluding and implementing a project based on a concluded contract (Article 6 (1) (b) of the GDPR);
c) accounting related to issuing and accepting settlement documents, pursuant to the provisions of tax law, including the Act of September 29, 1994 on accounting and the Act of March 11, 2004 on tax on goods and services (Article 6 (1) (c) of the GDPR);
d) archiving data for possible determination, investigation or defense against claims or the need to prove facts, which is the legitimate interest of the data controller (Article 6 (1) (f) of the GDPR);
e) contact by phone or via e-mail, in particular in response to inquiries addressed to the data controller, which is the legitimate interest of the data controller (Article 6 (1) (f) of the GDPR);
f) marketing of the data controller’s own products, which is his legitimate interest (Article 6 (1) (f) of the GDPR) or based on a prior consent (Article 6 (1) (a) of the GDPR).

III. Data recipients. Data transfer to third countries

1. The recipients of personal data processed by the data controller may be cooperating entities with the data administrator, when it is necessary to perform the contract concluded with the data subject.
2. The recipients of personal data processed by the data administrator may also be subcontractors – entities, which services are used by the data controller when processing data, e.g. accounting offices, law firms, entities providing IT services (including hosting services).
3. The data controller may be required to disclose personal data on the basis of applicable law, in particular to disclose personal data to authorized state authorities or institutions.
4. Personal data may be transferred to an entity based outside the European Economic Area, i.e. to Google LLC as the provider of Google Analytics and Google AdWords based on appropriate legal safeguards, which are standard contractual clauses for the protection of personal data approved by the European Commission.

IV. Period of personal data storage

1. The data controller stores personal data for the duration of the contract concluded with the data subject and after its termination for purposes related to the pursuit of claims related to the contract, performance of obligations under applicable law, but for no longer than the limitation period in accordance with with the provisions of the Civil Code.
2. The data controller stores personal data contained in settlement documents for the period of time specified by the provisions of the Act on tax on goods and services and the Accounting Act.
3. The data controller stores personal data processed for marketing purposes for a period of 10 years, but not longer than until the consent to data processing is withdrawn or an objection to data processing is raised.
4. The data controller stores personal data for purposes other than those indicated in par. 1-3 for a period of 3 years, unless the consent to data processing has been withdrawn and the data processing cannot be continued on a basis other than the consent of the data subject.

V. Rights of the data subject

1. Every data subject has the right to:
a) access – obtaining confirmation from the administrator as to whether their personal data is being processed. If data about a person is processed, he is entitled to access them and obtain the following information: about the purposes of processing, categories of personal data, information about recipients or categories of recipients to whom the data has been or will be disclosed, about the period of data storage or about their criteria determining the right to request rectification, deletion or limitation of the processing of personal data due to the data subject, and to object to such processing (Article 15 of the GDPR);
b) receiving a copy of the data – obtaining a copy of the data subject to processing, the first copy being free of charge, and the administrator may charge a reasonable fee for subsequent copies resulting from administrative costs (Article 15 (3) of the GDPR);
c) rectification – requests for rectification of incorrect personal data concerning her or supplementing incomplete data (Article 16 of the GDPR);
d) deletion of data – requests to delete their personal data, if the administrator no longer has a legal basis for their processing or the data is no longer necessary for the purposes of processing (Article 17 of the GDPR)
e) restriction of processing – requests to limit the processing of personal data (Article 18 of the GDPR), when:
• the accuracy of the personal data is contested by the data subject – for a period enabling the controller to verify the accuracy of the data,
• the processing is unlawful and the data subject opposes their removal, requesting the restriction of their use,
• the controller no longer needs these data, but they are needed by the data subject to establish, assert or defend claims,
• the data subject has objected to the processing – pending the verification whether the legitimate grounds of the controller override those of the data subject;
f) data transfer – receiving in a structured, commonly used and machine-readable format personal data concerning him, which he provided to the administrator, and requesting this data to be sent to another administrator, if the data is processed on the basis of the consent of the data subject or a contract concluded with him, and if the data is processed in an automated manner (Article 20 of the GDPR);
g) objection – objecting to the processing of her personal data for the legitimate purposes of the administrator, for reasons related to her particular situation, including profiling. Then the controller assesses the existence of valid, legitimate grounds for processing that override the interests, rights and freedoms of data subjects, or the grounds for establishing, investigating or defending claims. If, according to the assessment, the interests of the data subject are more important than those of the controller, the controller will be obliged to stop processing the data for these purposes (Article 21 of the GDPR).
2. In order to exercise the above-mentioned rights, the data subject should contact the administrator using the contact details provided and inform him which right and to what extent he wants to exercise.
3. The data subject has the right to lodge a complaint with the supervisory authority, which is the President of the Office for Personal Data Protection in Warsaw.

VI. Profiling

1. Personal data obtained by the data administrator may be processed automatically – including in the form of profiling. Profiling of personal data performed by the data controller consists in assessing selected information about the data subject for the purposes of analyzing and forecasting personal preferences and interests, in particular for the possibility of providing the data subject with a personalized offer.
2. Automatic data processing performed by the data controller does not give rise to any legal consequences for the data subject. The data subject may at any time object to the automated processing of his data.

COOKIES POLICY

1. The administrator uses cookies to collect information related to the use of the Website by the Customer. Cookies are small text files sent and stored on the Customer’s device through which he connects to the Website. The administrator uses “session” cookies stored on the customer’s end device until logging out, turning off the website or turning off the web browser and “permanent” cookies stored on the customer’s end device for the time specified in the parameters of cookies or until their removal by the customer.
2. Cookies allow the Administrator to customize and optimize the Website for the needs of Clients, to create statistics of the Website’s views and to ensure the security of the Website. Cookies are also used to maintain the Customer’s session after leaving the website in order to return to the contents of the basket. Cookies also allow you to remember the settings and parameters of the website selected by the Customer.
3. The customer at any time using his web browser can delete cookies from the online store or completely block their collection on the customer’s device.
4. Blocking by the Customer the possibility of collecting cookies on his device may make it difficult or impossible for the Customer to use some of the Website’s functionalities.