Personal data security policy

I. What is the Personal Data Security Policy?

The policy of personal data security are rules whose purpose is to inform our clients about the entire process related to the acquisition, processing and protection of their personal data. We will also explain the principles and purposes of obtaining data. These processes are carried out on the basis of applicable law, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing the Directive 95/46 / EC and the Act of 10 May 2018 on the protection of personal data.

This Personal Data Security Policy will help you understand what information we collect in connection with the operation of the Store and how we process it.

If we write about the User in the Security Policy, these provisions also apply to you.

II. Definitions

Administrator - Lilly Collection Katarzyna Oleszczuk with headquarters located in Piaseczno.

Personal data - all information about a natural person identified or identifiable by one or more specific factors determining physical, physiological, genetic, mental, economic, cultural or social identity, including device IP, location data, internet identifier and information collected for via cookies and other similar technology.

Security Policy - this Personal Data Security Policy.

GDPR - Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC.

Act - the Act of 10 May 2018 on the protection of personal data.

Online Store - lillycollection.pl online store run by the Administrator at www.lillycollection.pl.

User - any natural person visiting the Online Store and using one or several services or functionalities described in the Security Policy.

III. Personal data administrator

The administrator of personal data is Lilly Collection Katarzyna Oleszczuk 05-500 Piaseczno, ul. Pawia 6/78, REGON: 146596790, NIP: 1230911792.

IV. Purposes and basics of personal data processing

In accordance with the scope of business, the Administrator processes your personal data for various purposes, but it is always done in accordance with the law. Your data is processed in relation to the following categories of activities:

1. Browsing the Online Store

Data of all entities using the Online Store (including the IP address or other identifiers and information collected via cookies or other similar technologies), and who are not registered Users (i.e. persons without a profile in the Online Store) are processed by the Administrator in one or several the following purposes:

- providing services electronically in the scope made available to Users of content posted in the Online Store, sharing contact forms - the legal basis for processing - the necessity of processing for the performance of the contract (Article 6 paragraph 1 letter b of the GDPR);

- support for purchases made without registration in the Online Store - legal basis for processing - the need for processing to perform the contract (Article 6 (1) (b) of the GDPR);

- handling complaints - legal basis for processing - necessity of processing to perform the contract (art.6 par.1 lit.b RODO);

- analytical and statistical - legal basis for processing - the legitimate interest of the Administrator (Article 6 paragraph 1 letter f of the GDPR), which consists in conducting analyzes of Users' behavior and activity as well as their preferences aimed at improving the quality and adequacy of the functionalities and services provided;

- possible determination and pursuit of claims or defense against them - legal basis for processing - legitimate interest of the Administrator (Article 6 paragraph 1 letter f of the GDPR), which consists in the protection of his rights;

- marketing of the Administrator and other entities, in particular related to the presentation of behavioral advertising - the legal basis for processing - the legitimate interest of the Administrator (Article 6 paragraph 1 letter f of the GDPR), which consists in adjusting the displayed advertising content - the rules for processing personal data for marketing purposes have been described in the "MARKETING" section.

The User's activity in the Online Store, including his personal data, is recorded in system logs (a dedicated computer system created to store a chronological record containing information about events and activities related to the IT system used to provide services by the Administrator). The information collected in the logs is processed in connection with the provision of services by the Administrator. The administrator also processes them for technical purposes, which in particular means that these data may be temporarily stored and processed in order to ensure the security and proper functioning of IT systems, e.g. in connection with making backup copies, testing changes in IT systems, detecting irregularities or protection against abuse and attacks.

2. Registration in the Online Store

Users who register in the Online Store by creating a Customer Account are asked to provide the data necessary to create and operate the account. To facilitate placing an order, the User may provide additional data and agree to their processing. Additional data can be changed or deleted at any time. Providing data marked as mandatory (e-mail address and password) is required to set up and operate an account, and failure to do so results in the inability to set up an account. Personal data provided to the administrator are processed for one or several of the following purposes:

- the provision of services related to the operation and maintenance of an account in the Online Store - legal basis for processing - the need for processing to perform the contract (Article 6 (1) (b) of the GDPR),

- marketing of the Administrator and sellers - the rules for processing personal data for marketing purposes are described in the "MARKETING" section.

3. Placing an order

a) Placing an order (purchase offer for goods) by the User in the Online Store is associated with the processing of his personal data. Providing data marked as mandatory is voluntary, but necessary for the implementation and delivery of the goods ordered by him, and failure to do so results in the inability to place the order. Providing other data is also voluntary and does not affect the performance of the contract.

b) Personal data provided when placing an order in the Online Store are processed for one or several of the following purposes:

- implementation of the order - the legal basis for processing:

in the scope of mandatory data - the necessity of processing for the performance of the contract (art.6 par.1 lit.b RODO),
in the scope of data provided voluntarily - consent (art.6 par.1 lit.a RODO);

- implementation of statutory obligations incumbent on the Administrator, resulting in particular from tax and accounting regulations - legal basis for processing - legal obligation (Article 6 (1) (c) of the GDPR);

4. Contact form

a) In the Administrator's Online Store it is possible to contact him using the electronic contact form. Using the form requires providing personal data necessary to contact the User and answer the query. Providing data marked as mandatory is required in order to receive and service the query, and failure to do so results in the inability to use the form.

b) Personal data provided to the Administrator in the contact form are processed for one or several of the following purposes:

- identification of the sender and handling of his inquiry sent via the provided form - legal basis for processing - the necessity of processing to perform the contract for the provision of services (Article 6 paragraph 1 point b of the GDPR);

- analytical and statistical - legal basis for processing - legitimate interest of the Administrator (art.6 par.1 lit.f RODO), which consists in keeping statistics of queries submitted by Users via the Online Store in order to improve its functionality and activities of the Administrator.

5. Marketing

The Administrator processes Users' personal data in order to carry out marketing activities, the legal basis of which is the Administrator's legitimate interest (Article 6 (1) (f) of the GDPR). These activities may include in particular:

- displaying marketing content to the User that is not adapted to his preferences (contextual advertising);

- displaying marketing content relevant to the User's interests (behavioral advertising);

- sending e-mail notifications about interesting offers or content, which in some cases contain commercial information;

- conducting other types of activities related to direct marketing of goods and services (sending commercial information by electronic means and telemarketing activities).

In order to implement marketing activities, the Administrator uses profiling in some cases. This means that due to automatic data processing, the Administrator assesses selected factors regarding natural persons in order to analyze their behavior or create a forecast for the future. When performing this type of profiling, the Administrator does not, however, apply to the User profiling that has legal effects on him or similarly significantly affects him.

6. Contextual advertising

The Administrator processes Users' personal data for marketing purposes in connection with directing contextual advertising to Users (i.e. advertising that is not tailored to the User's preferences). The processing of personal data takes place then in connection with the implementation of the legitimate interest of the Administrator (art.6 par.1 lit.f RODO).

7. Behavioral advertising

The Administrator processes Users' personal data, including personal data collected via cookies and other similar technologies, for marketing purposes in connection with directing behavioral advertising to Users (i.e. advertising that is tailored to the User's preferences). The processing of personal data also includes User profiling. The use of personal data collected through this technology for marketing purposes, in particular in terms of promoting the services and goods of third parties, is based on the legitimate interest of the administrator and only on condition that the User has consented to the use of cookies. Consent to the use of cookies can be expressed through the appropriate configuration of the browser, and can also be withdrawn at any time, in particular by clearing the cookie history and disabling cookies in your browser settings. This consent may be withdrawn at any time.

8. Direct marketing

If the User has agreed to receive marketing information via e-mail, SMS and other electronic means of communication, the User's personal data will be processed for the purpose of sending him such information. The basis for data processing is the Administrator's legitimate interest in sending marketing information within the limits of the consent given by the User (direct marketing). The User has the right to object to data processing for the purposes of direct marketing, including profiling. The data will be stored for this purpose for the duration of the legitimate interest of the Administrator, unless the User objects to receiving marketing information.

9. Cookies and similar technology

Cookies are small text files installed on the device of a User browsing the Online Store. Cookies collect information that facilitates the use of the website - e.g. by remembering User's visits to the Online Store and their activities.

10. Cookies "Online Store"

The administrator uses the so-called cookies primarily to provide the User with services provided electronically and to improve the quality of these services. Therefore, the Administrator and other entities providing analytical and statistical services to him use cookies, storing information or gaining access to information already stored in the User's telecommunications terminal device (computer, telephone, tablet, etc.). Cookies used for this purpose include:

- cookies with data entered by the User (session ID) for the duration of the session (user input cookies);

- authentication cookies used for services that require authentication for the duration of the session (authentication cookies);

- cookies used to ensure security, e.g. used to detect fraud in the field of authentication (user centric security cookies);

- session cookies of multimedia players (e.g. flash player cookies), for the duration of the session (multimedia player session cookies);

- persistent cookies used to personalize the User interface for the duration of the session or a little longer (user interface customization cookies),

- cookies used to remember the contents of the basket for the duration of the session (shopping cart cookies);

- cookies used to monitor website traffic, i.e. data analytics, including Google Analytics cookies (these are files used by Google to analyze how the User uses the Online Store, to create statistics and reports on the functioning of the Online Store) . Google does not use the collected data to identify the User or combine this information to enable identification. Detailed information about the scope and rules of collecting data in connection with this service can be found at the following link: https://www.google.com/intl/pl/policies/privacy/partners.

11. "Marketing" cookies

The administrator also uses cookies for marketing purposes, including in connection with targeting behavioral advertising to Users. For this purpose, the Administrator stores information or gains access to information already stored in the User's telecommunications terminal device (computer, telephone, tablet, etc.). The use of cookies and personal data collected through them for marketing purposes, in particular in the field of promoting services and goods of third parties, requires the consent of the User. This consent may be expressed through the appropriate configuration of the browser, and may also be withdrawn at any time, in particular by clearing the cookie history and disabling cookies in the browser settings.

V. How long do we store your data?

1. In accordance with applicable law, we process your personal data for the time that is needed to achieve the designated purpose. After this period, your personal data will be irreversibly deleted or destroyed.

2. In a situation where we do not need to perform other operations using your personal data than their storage (e.g. when we store the content of the order for the purposes of defense against claims), we secure it additionally - by pseudonymisation until it is permanently deleted or destroyed. Pseudonymisation consists in such encryption of personal data or a set of personal data that it cannot be read without an additional key, and therefore such information becomes completely useless to an unauthorized person.

3. Your personal data will be processed by the Administrator for the period necessary to achieve the purposes referred to in the section "Purposes and grounds for processing personal data" (Chapter IV), e.g. to terminate the provision of the newsletter service for you, and the agreement to participate in our program loyalty, termination of the complaint procedure and after that period until the time limitations for any claims expire or until the data storage obligations resulting from legal provisions expire.

VI. What are your rights related to your data?

1. Data Users have the following rights:

- The right to information on the processing of personal data - on this basis, the person submitting such a request, the Administrator provides information on the processing of personal data, including primarily the purposes and legal grounds for processing, the scope of data held, entities to whom personal data is disclosed and the planned date of their removal ;

- The right to obtain a copy of the data - on this basis, the Administrator provides a copy of the processed data regarding the person making the request;

- The right to rectify data - on this basis, the Administrator removes any incompatibilities or errors regarding personal data being processed, and supplements or updates them if they are incomplete or have changed;

- The right to delete data - on this basis, you can request the deletion of data whose processing is no longer necessary to achieve any of the purposes for which it was collected;

- The right to limit processing - on this basis, the Administrator ceases to carry out operations on personal data, with the exception of operations that the data subject has consented to and their storage, in accordance with the adopted retention rules, or until the reasons for the restriction of data processing cease (e.g. a decision of the supervisory authority will be issued, authorizing further data processing);

- The right to transfer data - on this basis, to the extent that data is processed in connection with the concluded contract or consent, the Administrator issues data provided by the person to whom they relate, in a format that allows it to be read by a computer. It is also possible to request that the data be sent to another entity - however, provided that there are technical possibilities in this regard both on the part of the Administrator and that other entity;

- The right to object to the processing of data for marketing purposes - the data subject may at any time object to the processing of personal data for marketing purposes, without the need to justify such an objection;

- The right to object to other purposes of data processing - the data subject may at any time object to the processing of personal data on the basis of the justified interest of the Administrator (e.g. for analytical or statistical purposes or for reasons related to the protection of property). An objection in this respect should contain a justification and is subject to the Administrator's assessment;

2. The application for the exercise of the rights described above can be submitted by post by writing to the following address: ul. Pawia 6/78, 05-500 Piaseczno or by e-mail to the following address: k.oleszczuk@lillycollection.pl.

3. The application should, if possible, clearly indicate what the request concerns, i.e. in particular:

- who submits the application
- which the person submitting the application wants to use the rights described above;
- what processing purposes the request relates to (e.g. marketing purposes, analytical purposes, etc.).

4. If the Administrator will not be able to determine the content of the request or identify the person submitting the application based on the application, he will ask the applicant for additional information.

5. A response to the application will be given immediately, no later than within one month of its receipt. If it is necessary to extend this period, the Administrator will inform the applicant about the reasons for such extension.

6. The answer will be given to the e-mail address from which the application was sent, and in the case of applications sent by letter, by registered mail to the address indicated by the applicant, unless the content of the letter indicates the desire to receive feedback to the e-mail address (in this case you must provide an email address).

VII. The right to withdraw consent

1. If the Administrator processes your personal data on the basis of your consent, you can withdraw this consent at any time - at your own discretion.

2. If you want to withdraw your consent to the processing of your personal data, you can do it as follows:

- send an email directly to the Administrator to the address k.oleszczuk@lillycollection.pl or
- check the appropriate box in the customer panel, in the "Information" tab or
- click the link in the email attached at the end of the message.

3. If the Administrator processes your personal data on the basis of your consent, its withdrawal does not mean that the processing of personal data up to this point was illegal. In other words, until the consent is withdrawn, the Administrator has the right to process your personal data and withdrawal of consent does not affect the lawfulness of the current processing.

VIII. Right to lodge a complaint

If you think that your personal data is being processed contrary to applicable law, you can lodge a complaint with the President of the Office for Personal Data Protection.

IX. Transfer of personal data to Third Countries and International Organizations

Your personal data is not transferred to third countries, i.e. outside the European Economic Area (EEA) or outside international organizations.

X. Changes to the Personal Data Security Policy

1. To the extent not regulated by this Policy of personal data security, the provisions of the Act and the GDPR shall apply.

2. You will be notified by e-mail about any changes introduced to this Security Policy.

3. This privacy policy applies from November 25, 2019.

XI. Questions and contact

If you have any questions about the policy of personal data security, contact the Administrator in writing, by traditional mail, writing to the following address: ul. Pawia 6/78, 05-500 Piaseczno or by e-mail to the following address: k.oleszczuk@lillycollection.pl.

Information regarding online dispute resolution pursuant to Art. 14 Para. 1 of the ODR (Online Dispute Resolution Regulation):

The European Commission gives consumers the opportunity to resolve online disputes pursuant to Art. 14 Para. 1 of the ODR on one of their platforms. The platform (http://ec.europa.eu/consumers/odr) serves as a site where consumers can try to reach out-of-court settlements of disputes arising from online purchases and contracts for services.