Privacy Policy
ONLINE STORE: BIGBOSTORE.COM / BBSONG.PL
TABLE OF CONTENTS:
- GENERAL PROVISIONS
- LEGAL BASIS FOR DATA PROCESSING
- PURPOSE, BASIS, DURATION AND SCOPE OF DATA PROCESSING IN THE ONLINE STORE
- RECIPIENTS OF DATA IN THE ONLINE STORE
- PROFILING IN THE ONLINE STORE
- RIGHTS OF THE DATA SUBJECT
- COOKIES IN THE ONLINE STORE, OPERATIONAL DATA AND ANALYTICS
- FINAL PROVISIONS
§1
GENERAL PROVISIONS
1.1. This Privacy Policy of the Online Store is for informational purposes only, which means it does not impose obligations on Service Recipients or Customers of the Online Store. The Privacy Policy primarily contains rules regarding the processing of personal data by the Administrator in the Online Store, including the basis, purposes, and period of personal data processing and the rights of individuals whose data is concerned, as well as information regarding the use of Cookies and analytical tools in the Online Store.
1.2. The Administrator of personal data collected through the Online Store is Bohdan Bezuhlyi, conducting business under the name B.B. SONG BOHDAN BEZUHLYI, registered in the Central Registration and Information on Business of the Republic of Poland maintained by the minister competent for economic affairs, with the business address and address for correspondence: ul. Jerzego Bajana 3b/2, 80-463 Gdańsk, NIP 5842846237, REGON 527365127, email address: kontakt@bbsong.pl, and phone number: +48 607 404 309 – hereinafter referred to as the “Administrator”, who is also the Service Provider of the Online Store and the Seller.
1.3. Personal data in the Online Store is processed by the Administrator in accordance with applicable law, in particular the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) – hereinafter referred to as “GDPR” or “GDPR Regulation”. Official text of the GDPR: http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELEX%3A32016R0679
1.4. Use of the Online Store, including purchases, is voluntary. Likewise, providing personal data by the Online Store User or Customer is voluntary, subject to two exceptions: (1) entering into contracts with the Administrator – failure to provide personal data indicated on the Online Store website, in the Store’s Terms and Conditions, and this Privacy Policy necessary for concluding and executing a Sales Agreement or a contract for the provision of Electronic Services will result in the inability to conclude such a contract. Providing personal data in this case is a contractual requirement, and if the person wishes to conclude a contract, they are obliged to provide the required data. The scope of required data is specified in advance on the Online Store website and in the Store’s Terms and Conditions; (2) legal obligations of the Administrator – providing personal data is a statutory requirement arising from generally applicable laws that impose an obligation on the Administrator to process personal data (e.g., for bookkeeping purposes), and failure to provide them will prevent the Administrator from fulfilling those obligations.
1.5. The Administrator takes special care to protect the interests of individuals whose data is being processed and is in particular responsible for ensuring that the data: (1) is processed lawfully; (2) is collected for specified, legitimate purposes and not further processed in a manner incompatible with those purposes; (3) is factually correct and adequate to the purposes for which it is processed; (4) is stored in a form which permits identification of the data subject for no longer than necessary for the purposes of processing; and (5) is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
1.6. Taking into account the nature, scope, context, and purposes of processing and the risk of violating the rights or freedoms of natural persons with varying likelihood and severity, the Administrator implements appropriate technical and organizational measures to ensure that processing is carried out in accordance with the GDPR and that it can demonstrate compliance. These measures are reviewed and updated when necessary. The Administrator uses technical measures to prevent unauthorized acquisition or modification of personal data transmitted electronically.
1.7. All terms, phrases, and acronyms appearing in this Privacy Policy and beginning with a capital letter (e.g., Seller, Online Store, Electronic Service) shall be understood according to their definitions contained in the Online Store’s Terms and Conditions available on the Store’s website.
§2
LEGAL BASIS FOR DATA PROCESSING
2.1. The Administrator is authorized to process personal data if – and to the extent that – at least one of the following conditions is met: (1) the data subject has given consent to the processing of their personal data for one or more specific purposes; (2) processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract; (3) processing is necessary for compliance with a legal obligation to which the Administrator is subject; or (4) processing is necessary for the purposes of the legitimate interests pursued by the Administrator or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject requiring protection of personal data, especially when the data subject is a child.
2.2. The processing of personal data by the Administrator always requires the existence of at least one of the bases indicated in point 2.1. The specific basis for the processing of the personal data of Online Store Users and Customers by the Administrator is indicated in the next section of this Privacy Policy – in relation to the specific purpose of data processing by the Administrator.
§3
PURPOSE, BASIS, DURATION AND SCOPE OF DATA PROCESSING IN THE ONLINE STORE
| Purpose of Data Processing | Legal Basis for Data Processing | Data Retention Period |
|---|---|---|
| Execution of the Sales Agreement or the contract for the provision of Electronic Services, or taking steps at the request of the data subject prior to entering into these contracts | Article 6(1)(b) GDPR – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract | Data is stored for the period necessary to execute, terminate or otherwise expire the concluded Sales Agreement or Electronic Services Agreement |
| Direct marketing | Article 6(1)(f) GDPR – processing is necessary for the purposes of legitimate interests pursued by the Controller (maintaining the Controller’s business reputation and Online Store, and promoting sales) | Data is retained for the duration of the legitimate interest of the Controller, but no longer than the limitation period for claims under applicable laws. The basic limitation period for business-related claims is three years, and two years for a sales agreement. Data will not be processed for direct marketing if the data subject objects to such processing. |
| Marketing | Article 6(1)(a) GDPR – consent has been given by the data subject | Data is retained until the consent is withdrawn by the data subject |
| Providing feedback on a concluded Sales Agreement | Article 6(1)(a) GDPR – consent has been given by the data subject | Data is retained until the consent is withdrawn by the data subject |
| Bookkeeping | Article 6(1)(c) GDPR in conjunction with Art. 74(2) of the Accounting Act of 30 January 2018 (Journal of Laws 2018, item 395) – processing is necessary for compliance with a legal obligation | Data is retained for the legally required period for bookkeeping (5 years, counting from the beginning of the year following the fiscal year concerned) |
| Establishment, exercise or defense of claims by or against the Controller | Article 6(1)(f) GDPR – processing is necessary for the purposes of the legitimate interests pursued by the Controller | Data is retained for the period of the Controller’s legitimate interest, but no longer than the limitation period for claims (typically six years for claims against the Controller) |
| Use of the Online Store website and ensuring its proper operation | Article 6(1)(f) GDPR – processing is necessary for the legitimate interests pursued by the Controller (maintaining and operating the Online Store site) | Data is retained for the period of the Controller’s legitimate interest, not exceeding the statutory limitation period for claims (usually three years for business-related claims, and two years for sales agreements) |
| Statistics and traffic analysis in the Online Store | Article 6(1)(f) GDPR – processing is necessary for the legitimate interests pursued by the Controller (improving store operation and increasing sales) | Data is retained for the period of the Controller’s legitimate interest, not exceeding the statutory limitation period for claims |
§4
DATA RECIPIENTS IN THE ONLINE STORE
4.1. For the proper functioning of the Online Store, including the execution of Sales Agreements, the Controller uses the services of external entities (e.g. software providers, couriers, or payment processors). The Controller only uses the services of processors that provide sufficient guarantees of implementing appropriate technical and organizational measures to ensure processing in compliance with the GDPR and to protect the rights of data subjects.
4.2. Data is not transferred to every recipient or category listed in the privacy policy in all cases – only when necessary for the achievement of a particular data processing purpose and only to the extent required. For example, if a Customer chooses personal pickup, their data will not be shared with shipping providers.
4.3. Personal data of Service Users and Customers of the Online Store may be disclosed to the following recipients or categories of recipients:
4.3.1. Carriers / forwarding agents / courier brokers – if the Customer chooses postal or courier delivery, the Controller provides the necessary personal data to the selected delivery entity solely to the extent required for delivery.
4.3.2. Entities processing electronic or card payments – if the Customer chooses such payment methods, their data is shared with the relevant payment service provider to the necessary extent for transaction processing.
4.3.3. Credit institutions / leasing companies – if the Customer selects installment or leasing payment options, the Controller shares data with the appropriate financing institution solely for processing the transaction.
4.3.4. Customer review system providers – if the Customer consents to provide a review, their data is shared with the review system provider to the extent necessary for collecting the opinion.
4.3.5. Suppliers providing the Controller with technical, IT and organizational solutions – including software providers for the store platform, email, hosting, ERP systems, and technical support. Data is shared only when and to the extent necessary for the specific processing purpose in accordance with this privacy policy.
4.3.6. Accounting, legal and advisory service providers – including accounting firms, law firms, or debt collection agencies. Data is shared only to the extent required for processing purposes aligned with this privacy policy.
§5
Profiling in the Online Store
5.1. The GDPR imposes on the Administrator the obligation to inform about automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR, and – at least in these cases – essential information about the principles of such decision-making, as well as about the significance and anticipated consequences of such processing for the data subject. With this in mind, the Administrator provides information in this section of the privacy policy regarding possible profiling.
5.2. The Administrator may use profiling in the Online Store for direct marketing purposes, but decisions made based on profiling by the Administrator do not concern the conclusion or refusal to conclude a Sales Agreement, nor the ability to use Electronic Services in the Online Store. The effect of profiling in the Online Store may be, for example, granting a discount to a person, sending them a discount code, reminding about unfinished purchases, sending proposals of Products that may match the person’s interests or preferences, or offering better conditions compared to the standard offer of the Online Store. Despite profiling, the person freely decides whether to use the received discount or better conditions and make a purchase in the Online Store.
5.3. Profiling in the Online Store consists of the automatic analysis or prediction of a person’s behavior on the Online Store website, e.g., by adding a specific Product to the cart, browsing a specific Product page in the Online Store, or by analyzing the history of previous purchases made in the Online Store. A condition for such profiling is that the Administrator has the personal data of the person to be able to send, for example, a discount code.
5.4. The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
§6
Rights of the Data Subject
6.1. Right of access, rectification, restriction, erasure, or data portability – the data subject has the right to request from the Administrator access to their personal data, rectification, erasure (“right to be forgotten”), or restriction of processing and has the right to object to processing, as well as the right to data portability. Detailed conditions for exercising these rights are specified in Articles 15-21 of the GDPR.
6.2. Right to withdraw consent at any time – a person whose data is processed by the Administrator based on consent (under Article 6(1)(a) or Article 9(2)(a) of the GDPR) has the right to withdraw consent at any time without affecting the lawfulness of processing carried out based on consent before its withdrawal.
6.3. Right to lodge a complaint with a supervisory authority – a person whose data is processed by the Administrator has the right to lodge a complaint with a supervisory authority in the manner and procedure specified in the GDPR and Polish law, particularly the Personal Data Protection Act. The supervisory authority in Poland is the President of the Office for Personal Data Protection.
6.4. Right to object – the data subject has the right to object at any time – for reasons related to their particular situation – to the processing of their personal data based on Article 6(1)(e) (public interest or official authority) or (f) (legitimate interests of the Administrator), including profiling based on these provisions. In such a case, the Administrator must stop processing the personal data unless they demonstrate compelling legitimate grounds for processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.
6.5. Right to object to direct marketing – if personal data is processed for direct marketing purposes, the data subject has the right to object at any time to the processing of their personal data for such marketing, including profiling, to the extent that the processing is related to such direct marketing.
6.6. To exercise the rights mentioned in this section of the privacy policy, the data subject may contact the Administrator by sending an appropriate message in writing or by email to the Administrator’s address indicated at the beginning of the privacy policy or by using the contact form available on the Online Store’s website.
§7
Cookies in the Online Store, Operational Data, and Analytics
7.1. Cookies are small pieces of textual information in the form of text files, sent by the server and stored on the side of the person visiting the Online Store website (e.g., on the hard drive of a computer, laptop, or on the memory card of a smartphone—depending on the device used by the visitor of our Online Store). Detailed information about cookies and their history can be found, among others, here: http://pl.wikipedia.org/wiki/Ciasteczko.
7.2. The Administrator may process data contained in cookies during visitors’ use of the Online Store website for the following purposes:
7.2.1. Identifying users as logged into the Online Store and showing that they are logged in;
7.2.2. Remembering Products added to the cart for the purpose of placing an Order;
7.2.3. Remembering data entered in Order Forms, surveys, or login details for the Online Store;
7.2.4. Customizing the content of the Online Store website to the individual preferences of the user (e.g., regarding colors, font size, page layout) and optimizing the use of the Online Store pages;
7.2.5. Conducting anonymous statistics showing how the Online Store website is used;
7.2.6. Remarketing, i.e., studying behavioral characteristics of visitors to the Online Store through anonymous analysis of their actions (e.g., repeated visits to certain pages, keywords, etc.) to create their profile and deliver advertisements tailored to their predicted interests, including when they visit other websites in the advertising networks of Google Inc. and Facebook Ireland Ltd.;
7.3. By default, most web browsers available on the market accept cookies. Everyone can specify the conditions for using cookies through their own web browser settings. This means, for example, it is possible to partially limit (e.g., temporarily) or completely disable cookies — however, in the latter case, some functionalities of the Online Store may be affected (for example, it may become impossible to complete an Order via the Order Form due to the failure to remember Products in the cart during subsequent ordering steps).
7.4. Web browser settings regarding cookies are important in terms of consent to the use of cookies by our Online Store – according to regulations, such consent may also be given by browser settings. If such consent is not given, the browser settings related to cookies should be appropriately changed.
7.5. Detailed information on how to change cookie settings and manually delete cookies in the most popular web browsers is available in the browser’s help section and at the following pages (just click the link):
- in Chrome browser
- in Firefox browser
- in Internet Explorer browser
- in Opera browser
- in Safari browser
- in Microsoft Edge browser
7.6. The Administrator may use Google Analytics and Universal Analytics services provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). These services help the Administrator analyze traffic in the Online Store. The collected data are processed within these services in an anonymized form (these are so-called operational data that prevent identification of a person) to generate statistics helpful in managing the Online Store. These data are aggregated and anonymous, i.e., they do not contain identifying features (personal data) of persons visiting the Online Store website. By using these services in the Online Store, the Administrator collects data such as the sources and mediums of visitors’ acquisition, their behavior on the Online Store website, information about devices and browsers used to visit the site, IP address and domain, geographic data, demographic data (age, gender), and interests.
7.7. It is possible for a person to easily block the sharing of information about their activity on the Online Store website with Google Analytics – to do so, they can install a browser add-on provided by Google Inc. available here: https://tools.google.com/dlpage/gaoptout?hl=en.
§8
Final Provisions
8.1. The Online Store may contain links to other websites. The Administrator encourages visitors to familiarize themselves with the privacy policies of those sites. This privacy policy applies only to the Administrator’s Online Store.