This document explains how the SHOP.AROMATREND.EU (more specifically, the Administrator running the Shop - defined below) processes the personal data of its Users in full compliance with all applicable laws - in particular, in compliance with the so-called RODO - i.e. the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural person in relation to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC. The purpose of the document is to provide Store Users with the necessary information regarding the processing of their personal data, thus fulfilling the information obligation under the RODO.
1. What is meant by the term 'personal data'?
Personal data is an information about an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as, for example, name, identification number, location data, internet identifier.
2. What does 'processing of personal data' mean?
Processing means an operation or set of operations which is performed upon personal data or sets of personal data in automatic or nonautomatic way, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Thus, the processing of personal data already includes its collection (when the User provides data by registering in the Shop or providing data for shipment), storage, or, for example, marking it on the parcel in which we send the ordered goods to the Shop user.
3. Who is the administrator of the personal data of SHOP.AROMATREND.EU store customers?
The administrator of the personal data of the SHOP.AROMATREND.EU Store customers is Aroma Trend LLC , Limited partnership, with its registered office in Michałowice, Szkolna street 46A (05-816 Michałowice), conducting its business in Ożarów Mazowiecki, Sławęcińska street 4, Macierzysz, registered in the Register of Entrepreneurs in the District Court for the Capital City of Warsaw, XIV Commercial Division of the National Court Register under KRS No. 0000345310, holding tax identification number (NIP) 5342408853 Regon 141669372. E-mail contact to the Administrator – firstname.lastname@example.org The personal data controller is a person who determines the purposes and means of the data processing - responsible for the compliance of the processing with legal regulations.
4. General principles for processing personal data
In processing personal data, we are guided by the general principles and specific guidelines of the RODO and other applicable legislation. In particular, we process data lawfully, fairly and making every effort to ensure transparency of the processing for the data subject. We collect and process personal data for specific, explicit and legitimate purposes - information about the purposes of the processing is provided to you when you consent to the processing and collectively in this document. We collect and process only such data as is necessary for the purposes for which they are processed. We make every effort to ensure that the data processed is correct and updated as necessary. We retain data in a form which permits identification of the data subject for no longer than is necessary for the purposes for which the data is processed. When processing data, we pay particular attention to ensuring adequate security of personal data, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage by means of appropriate technical or organizational measures.
5. Where do the personal data come from?
Personal data is only provided to us voluntarily by Users.
6. For what purpose do we process personal data?
We process Users' personal data primarily for the purpose of completing an order in the Shop - e.g. for sending the order to Users, issuing a document confirming the purchase, fulfilling public and legal obligations related to making the sale (resulting from tax or accounting regulations), processing payments, recovering debts, answering any questions and doubts related to the purchase, etc. Providing personal data by the User for this purpose is voluntary, but without providing such data it is not possible to carry out the order.
Personal data is also processed in order to create and maintain a user profile (account) in the Shop - which enables placing orders, monitoring the process of fulfilling orders, following the history of orders, etc.
Moreover, if the User gives a separate consent, we use their personal data to send commercial offers (by e-mail), as well as for statistical, marketing and market analysis purposes.
If you subscribe to our newsletter and provide your personal data (which does not have to be the case if you use, for example, only a nickname and your e-mail address does not contain personal data), we process the personal data provided in order to send the newsletter.
7. On what legal basis do we process personal data?
The general legal basis for our processing of personal data is the so-called RODO. We process personal data primarily for the purpose of fulfilling a contract concluded with a Store User, as well as on the basis of Users' voluntary consent (which applies mainly to data processing for marketing purposes - which takes place exclusively on the basis of User consent).
Furthermore, we also process personal data when it is necessary for the fulfilment of legal obligations incumbent on us (e.g. under tax law or accounting regulations). We also process Users' personal data on the basis of the Administrator's legally justified interests - in order to provide payment services, assert debts, during judicial proceedings, mediation or arbitration proceedings, data storage for archiving purposes and accountability ensurement (demonstrating that we have fulfilled our data processing obligations under the law).
8. To whom may we transfer your personal data?
As a rule, we do not share Users' personal data with third parties. Only authorized employees and associates of the Administrator have access to personal data. However, in some cases we entrust the processing of personal data to third parties - on the basis of a detailed agreement - we bear full responsibility for the actions and omissions of these entities. The entities to which we entrust data processing, process the data only for the purposes specified by us and on our behalf. Examples of entities to which we entrust the processing of personal data are:
• the provider of hosting services for the SHOP.AROMATREND.EU Shop, where personal data is stored,
• marketing agencies who may carry out marketing campaigns for us aimed at Users (provided that they have given their consent to the processing of data for such purposes),
• and other entities acting for similar purposes on our behalf.
9. For how long do we keep personal data?
We store the processed personal data for the purpose of fulfilling orders in the SHOP.AROMATREND.EU Shop for a period of time resulting from tax and accounting regulations obliging us to store documents related to sales - which contain personal data of buyers. This is usually 5 years from the end of the year in which the deadline for payment of tax on the sale expired. Other data related to the execution of orders - the storage of which is not required by tax regulations - we store until the expiry of our liability for the completed sale (the period of limitation of claims).
Personal data processed for marketing purposes (including sending of newsletters) - which takes place only in the case of the User's explicit consent to such processing - are stored until the User withdraws the consent.
10. How do we ensure the security of the personal data entrusted to us?
The security of personal data entrusted to us is a key value for us. In order to ensure its proper protection, we have implemented a personal data security policy which we verify periodically, at the same time by checking the effectiveness of the security measures applied in practice.
In order to protect the entrusted personal data, we ensure that only authorized employees and associates of the Administrator have access to it. Personal data is stored primarily in IT systems to which access is properly secured. However, access to personal data in the administration panel of the Store is protected by a login and password which are established by the User himself. We recommend that you do not make your login and password available to third parties and that you change your password periodically. We use professional IT service providers (in particular, hosting providers), from whom we require the maintenance of the highest security standards.
11. The rights of data subjects
11.1 Rights of access to data
Any person that the processed data refers to, is entitled to obtain from the Administrator confirmation of the fact that his/her data is being processed and to obtain access to the data. In addition to access to the data, the Administrator shall be obliged to provide such person with additional information about:
(a) the purposes of the processing of his/her personal data,
(b) the categories of these personal data,
(c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular the recipients in third world countries or international organizations,
(d) the intended period of storage of the personal data,
(e) the right to request from the administrator rectification, erasure or restriction of processing of personal data concerning the data subject, and to object to such processing,
(f) about the right to lodge a complaint with a supervisory authority,
(g) information on automated decision-making, including profiling, as well as on the significance and foreseeable consequences of such processing for the data subject.
The administrator shall provide the user with a copy of the personal data under processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. If the data subject requests an electronic copy and unless he or she indicates otherwise, the information shall be provided by commonly used electronic channel.
Our IT systems offer access to stored data directly from the Store's user panel. When, for technical reasons, editing or displaying is not possible, the system is being updated, upgraded or temporarily unavailable during maintenance work, it is possible to access the data by sending a request by e-mail or telephone to the Administrator's office - to the address indicated above. If the request is received electronically, the data will be provided electronically and within the timeframe compliant with the requirements of RODO. You can also choose the form of data access according to your preferences at the time of sending the request to us.
11.2 Rights of rectification
If you believe that any data we process about you is inaccurate, you have the right at any time to have it corrected, completed (on the basis of an additional statement) or rectified, as well as deleted.
We inform each recipient to whom the personal data have been disclosed about the rectification or erasure of personal data or the restriction of processing that we carry out as a controller in accordance with Articles 16, 17(1) and 18 of the RODO, unless this proves impossible or involves a disproportionate effort. We also inform the data subject of these recipients upon request.
11.3 Rights to data erasure (rights to be forgotten)
The User has the right to be forgotten - i.e. to request the Administrator to immediately erase personal data concerning him/her in the following cases:
(a) the data is no longer necessary for the purposes for which they were collected or processed,
(b) The User has withdrawn the consent for processing, and there is no other legal basis for processing,
(c) The User has objectives to the processing and there are no overriding legitimate grounds for the processing or the data subject objects under Article 21(2) of the RODO (processing for direct marketing purposes) to the processing,
(d) the personal data have been unlawfully processed,
(e) if the retention of the data violates the provisions of the RODO, Union law or the law of a Member State to which the Administrator is subjected to.
However, despite the User's request, personal data may not be erased when it is necessary:
(a) to comply with a legal obligation requiring processing under Union law or the law of a Member State to which the Administrator is subjected to (e.g. under tax or accounting legislation),
(b) for the establishment, exercise or defense of claims.
11.4 Right to restrict processing
Each User has the right to restrict our processing of their data in the following cases:
• when he/she believes his/her personal data is incorrect - for a period allowing him/her to check the correctness of the data;
• when the processing is unlawful and the data subject objects to the erasure of the personal data, requesting instead the processing being restricted;
• when we no longer need the personal data for the purposes of the processing, but they may be necessary for the User to establish, assert or defend a claim;
• when the User raises an objection under Article 21(1) to the processing - until it is established whether the legitimate grounds on our side override the grounds for the objection.
If the processing has been restricted, we shall then only process the personal data with the consent of the data subject, or in order to establish, assert or defend claims, or to protect the rights of another natural or legal person, or for important grounds of public interest of the Union or of a Member State.
Whenever a restriction on processing is lifted, we inform the data subject.
11.5 Right to data portability
Any User whose personal data we process has the right to receive it from us in a structured, commonly used machine-readable format. He also has the right to transfer this personal data to another controller without hindrance from us, if this is done in accordance with the requirements of the RODO.
The right to data portability also applies in all situations where processing on our side is carried out by automated way.
You also have the right to request that we send your data directly to another controller, as far as this is technically possible.
11.6 Right to object
The User have the opportunity to withdraw at any time its previously given consent to the processing of personal data for direct marketing purposes. This possibility does not entail any fee. He also has the right to object at any time, free of charge, to this processing, whether initial or further.
11.7 Right to lodge a complaint with a supervisory authority
If you believe that your rights in relation to your personal data are not respected or that we do not comply with the requirements of the RODO or other legal regulations, you have the right to lodge a complaint directly with the supervisory authority, which is the President of the Office for Personal Data Protection (PUODO). At the same time, we encourage you to try to clarify any doubts directly with the Administrator beforehand.
12. Information on automated decision-making (including profiling)
We do not use profiling within the meaning of the RODO - i.e. we do not adapt the content displayed on the Store website to the Users' preferences based on their personal data.
13. Rules regarding cookies
During the use of the Shop by a User on his/her final device (computer, smartphone, tablet, etc.) small files (in particular text files) are saved, containing information useful for the proper use of the Shop - so-called cookie files. Saving these files on the User's device makes it possible, among other things, to remember the login data, thanks to which the User avoids the need to enter the login and password each time, to remember the goods added to the basket, etc.
Cookies do not contain any data identifying a User, on their basis it is not possible to establish anyone's identity. These files are not in any way harmful to the User's device and do not change its settings or the settings of the software installed on it. Reading the content of these files is possible only through the server which created them.
During the use of the Shop by the User, two types of cookies are used: session and permanent. Session files are temporary files, stored on the User's device until logging out of the Shop, leaving the Shop or closing the browser. Permanent files are stored on User's device for the time specified in the parameters of these files or until they are deleted by the User.
The Shop uses the following types of cookies:
(a) Files that ensure the security of transactions made within the Store. Lack of these files makes it impossible to complete the transaction safely;
(b) Statistical files - allow the Administrator to collect statistical information about the use of the Shop;
(c) Functional files - files which make it possible to remember user settings and preferences. Thanks to storing these files on the User's device there is no need to enter the login and password each time;
(d) Advertising files - files which enable a User to receive personalized advertising. These files may be used by the Shop or by entities cooperating with the Shop by providing advertising services, thanks to which an advertisement adjusted to a User's interests may be displayed.
If the User chooses in the browser settings of his/her device the option which allows the storing of cookies or leaves this default option unchanged, it means that he/she has agreed for these files to be stored on his/her device.