In accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter ‘GDPR’), as well as all other applicable provisions of the law concerning the protection of personal data, we shall commit to observe the requirements of confidentiality and security of the obtained personal data. All our service workers have received appropriate training about personal data processing and protection.
Every Website User has the possibility to choose whether and to what extent he or she wants to use our services and share personal information. Every Website User has the right to retract such information or not to use the Website.
- The Personal Data Controller is: Chroma Spółka z ograniczoną odpowiedzialnością (LP), Przemysłowa Street 5, 68-200 Żary, Poland.
- We have appointed a Data Protection Officer (herein referred to as ‘DPO’) who is the person who shall be contacted on all matters of processing personal data and exercising the rights concerning the aforementioned processing.
DPO contact details:
Correspondence address: Chroma Spółka z ograniczoną odpowiedzialnością /DPO/, Przemysłowa Street 5, 68-200 Żary, Poland.
Email address firstname.lastname@example.org
When processing the Users’ personal data, the following rules shall apply:
- legality, reliability, and transparency: personal data are processed in accordance with the provisions of the law. The persons whom the data concern (Users) shall be sufficiently informed about the related issues;
- data minimization and appropriateness: only the (adequate) data, that are actually needed to achieve particular objectives, are processed;
- data accuracy: we shall do our utmost to ensure that the processed data are valid and correct;
- purpose limitation and safe retention of the processed data: personal data are collected only for specific and legitimate purposes. The data are retained in a format that permits the identification of the data subject. We process them for as long as necessary to meet the purpose for which they were obtained (unless further processing is required by obligations imposed by applicable laws);
- integrity and confidentiality of data: technical and organizational solutions are provided that ensure the safety of personal data processing;
- accountability: we shall be able to prove that the processing of personal data is in accordance with the provisions of the law.
Our website collects the following User personal data:
- full name—required for order placing and making contact during order placing;
- address of residence or company address—for shipping;
- telephone number—for contact during order execution;
- email address—for sending order confirmation and for possible contact;
- addresses—data resulting from general rules of Internet connections, such as an IP address (and other data contained in system logs);
Providing the aforementioned data is necessary in the following cases:
- when buying at the Store, one shall provide data that can help identify the Buyer;
- registration in the Customer database is voluntary, information is stored in the database in order to enable and facilitate purchases.
- The User can agree to have the abovementioned data saved so that he or she will not need to enter the same data during their next visit to the Website. User consent may be at any time withdrawn by (email@example.com)
- The owners of other websites will have no access to the data.
- If the User does not accept the interface customization, he or she should disable cookie files in his or her web browser settings.
Legal grounds for processing personal data for each of the objectives and the processing duration are as follows:
- Purpose: the performance of the contract between Chroma Sp. z o.o. (LP) and the User—legal basis: Article 6(1)(b) of GDPR—processing is necessary for the performance of a contract to which the data subject is party;
- Purpose: product and controller service marketing (including data analyzing and profiling for automated marketing purposes), statistical measurement—legal basis: Article 6(1)(a) of GDPR—the data subject (User) has given consent to the processing of his or her personal data for one or more specific purposes;
- Purpose: data processing for technical reasons in order to preserve the website’s continuity and functionality—legal basis: Article 6(1)(f) of GDPR— processing is necessary for the purposes of the legitimate interests pursued by the controller.
User personal data will be processed, within the framework of our service, only when there is a legal basis for processing and only when it is purposeful under the particular basis approved by GDPR, as indicated above.
Data will be processed as long as there is a purpose for their processing:
- in the event that consent has been granted until it has been withdrawn, limited, or due to other activities on your part limiting the consent,
- in the event that data are necessary for the performance of the contract—during the performance period and over the period necessary for vindication of claims, as well as by reason of duties provided for in the law, e.g. taxes,
- in the event that data processing is necessary for the purposes of the legitimate interests pursued by the controller.
- If the User has granted consent, his or her submitted email address will be used for marketing purposes of the controller’s own products—Chroma Spółka z ograniczoną odpowiedzialnością (LP), Przemysłowa Street 5, 68-200 Żary, Poland, as well as for statistical purposes. The User’s granted consent may be revoked at any time.
- If consent has been granted to receive the newsletter, it may be withdrawn by pressing the button chroma.pl/en/unsubscribe.
- If consent has been granted during User account creation at the website, it may be withdrawn by pressing the button here.
- The obtained User personal data are not available to third parties, with the exception of entities cooperating with the service, e.g. payment system operators, courier companies, and forwarding agents that process payment for goods purchased in the service and deliver the purchased goods to Purchasers, hosting companies. In such cases, the amount of data provided to entities cooperating with the service is limited to the strict minimum.
- Each entity cooperating with the service that gains access to personal data provided by the User has undertaken to protect the data to the extent compatible with the applicable provisions of the law and to train the personnel about provided personal data processing and protection.
- The collected Users’ personal data may be provided to the competent authorities if it is required by legal regulations.
- We do not store sensitive data, such as credit card numbers or data access to bank accounts.
Personal data obtained from the Users are not transferred outside the European Economic Area and such measures are not planned to be taken in the future.
- Users shall have the following rights with regard to the processing of their personal data:
- the right to access his or her personal data, including the right to obtain a copy of the data,
- the right to demand the rectification of the data,
- the right to erase the data (under certain circumstances),
- the right to lodge a complaint with a supervisory authority for personal data protection,
- the right to restriction of data processing,
- the right to object (under certain circumstances).
- If data are processed based on consent, Users may additionally exercise the right of consent withdrawal to the extent that the data are processed on this basis. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. The means of consent retraction are indicated in § 5 and § 7 above.
- If the User data are processed based on consent or order processing (data are necessary for order execution), he or she may exercise the right to data portability, i.e. to receive the personal data which he or she has provided to a controller, in a structured, commonly used, and machine-readable format. The data may be transmitted to another data controller.
In order to exercise the aforementioned rights one shall contact the controller or the Data Protection Officer, DPO (contact details in § 3 above).