Datenschutzerklärung
Table of contents:
§1 General information
§2 Personal data controller
§3 Data acquisition and purpose of data processing
§4 Categories of personal data
§5 Recipients of personal data
§6 Archiving of personal data
§7 Rights, accessing and updating personal data, complaints
§8 Automated data processing, cookie policy
§9 Changes to the Privacy Policy
Privacy Policy version 2.0 is effective as of 08.03.2023 r.
§1 General information
1. The Privacy Policy of the Online Shop does not constitute a source of obligation for the Visitor and the Customer of the Online Shop. It is for information purposes only and is not a contract or a regulation.
2. All expressions and words written with a capital letter (e.g. Online Shop, Customer, etc.) shall be understood in accordance with the content of the Terms and Conditions of the Online Shop.
3. In the event of any discrepancy between this Privacy Policy and the consents given by an individual for the processing of personal data, the legal basis for determining the scope of the Controller's activities shall be the voluntarily given consents or the legal provisions that apply to the factual situation.
§2 Personal data controller
1. The Controller of your personal data is Mariusz Ciemcioch conducting business activity under the name "ROCO" MARIUSZ CIEMCIOCH with registered office in Ksawerów (95-054) at Zachodnia 54a Street, Poland, under the following number in Poland NIP: 7311087751, REGON: 472069820, BDO: 000195755 (hereinafter: Controller).
2. For all data protection issues, please feel free to contact us at the above address or via e-mail: biuro@roco-fashion.pl.
3. You can also send a request for information on what personal data we hold about you and for what purposes we process it to the address indicated.
4. The Controller informs that it stores the correspondence for statistical purposes and for the improvement of the support system in the scope of the GDPR, as well as for the resolution of complaints and possible administrative intervention decisions based on the notifications in the indicated Customer Account. Addresses and data collected in this way will not be used for communication for purposes other than the fulfilment of the request, in particular not used for marketing purposes and not passed on to third parties.
5. When contacting the Controller to perform a specific action (e.g. making a complaint, making a return), the Controller may again ask the person concerned to provide data, including personal data, e.g. in the form of name, surname, home address, e-mail address, in order to confirm his/her identity and enable the person concerned to be contacted back on the matter and to perform the requested action. The provision of this data is not obligatory, but may be necessary in order to carry out an activity or obtain information of interest to the person concerned.
6. If you have given your additional consent for us to use cookies, our trusted partners may also be the controllers of the data obtained from your online activities.
§3 Data acquisition and purpose of data processing
1. We process personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, (hereinafter: GDPR) and other data protection legislation currently in force at the time of processing of certain data.
2. According to the wording of the indicated legislation, personal data is considered to be information about an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person.
3. We ensure that the data we obtain from you is confidential, secure and only processed when necessary. We process data lawfully, fairly and transparently to the data subject. We process only such data and only of such content as is necessary for the legitimate purpose, i.e. the reason for processing. Personal data is collected with due care and adequately protected against access by unauthorised persons. We use appropriate and adequate security measures and state of the art technology to protect personal data against accidental loss and unauthorised access, use, alteration or disclosure. We keep personal data in a way that enables the data subject to be identified for no longer than is necessary for the purposes for which the data is processed.
4. The controller obtains information about personal data in the following ways:
- a. by making a purchase in the Online Shop by the Customer;
- b. by registering a Customer Account;
- c. through voluntary subscription to a newsletter service;
- d. by sending a complaint, request, enquiry or letter of any other nature;
- e. by means of the voluntarily entered information in the e-mail sent in connection with the desire to cooperate or in the contact form;
- f. via cookies, pixels or similar internet technologies.
5. We would like to inform you that the purpose and scope of the data processed by the Controller derives from the consent of the Website Visitor or the Customer or from the provisions of the law and, in selected cases, is further specified as a result of the actions taken by these persons in the Online Shop or through other communication channels.
6. The provision of personal data by the Visitor or Customer of the Online Shop is voluntary, but necessary in order to use certain functionalities of the Online Shop (e.g. placing an Order and its settlement by the Customer, registering a Customer Account or using contact forms).
7. In each case, the scope of the data required to conclude the relevant contract is indicated in advance in the Online Shop (we mark the data the provision of which is necessary to conclude a contract/use a specific functionality), in other channels of communication with the Visitor or the Customer or in the Terms and Conditions. The consequence of failing to provide personal data may be the inability to effectively use the functionality of the Website, e.g. the inability to place an order.
8. Your personal data is obtained by the Controller for the following purpose:
Purpose of processing | Legal basis |
Keeping statistics. | Article 6(1)(f) GDPR. |
To carry out marketing of its own products and services without the use of electronic communication. | Article 6(1)(f) GDPR. |
Conduct marketing of its own products and services using electronic communications. | Article 6(1)(f) GDPR, with these activities, due to the Telecommunications Law and the Act on the Provision of Electronic Services, being carried out only on the basis of the consents held (Article 6(1)(a) GDPR). |
Handling requests made using the contact form, e-mails, complaints, other requests. Responding to requests and enquiries made using the contact form or in any other form, including storing sensitive requests and answers provided in order to maintain accountability. Handling of requests. Investigation and defence of claims, including from third parties. | Article 6(1)(a) GDPR. Article 6(1)(c) GDPR. |
Handling of the Customer's Account. To conclude and perform Service Agreements (Account/Basket) or to take action at the request of a future Customer prior to its conclusion. | Article 6(1)(a) GDPR. |
Conclusion and execution of the Sales Contract. | Article 6(1)(b) GDPR. |
Archiving of sales documents. | Article 6(1)(c) GDPR. |
9. Newsletter. If you wish to subscribe to our newsletter, it is mandatory that you provide us with your e-mail address via the newsletter subscription form. The provision of data is voluntary, but necessary in order to use the newsletter service. Subscription to the newsletter is also possible at the stage of creating a Customer Account and placing an order. The data provided to us when you sign up for the newsletter is used to send you the newsletter in which we inform you about company activities, the current collection, promotions and discounts. The legal basis for processing in this situation is your voluntary consent given when signing up for the newsletter. Your data is processed in this case for the purpose of sending the newsletter periodically, and the basis for the processing is Article 6(1)(a) GDPR, i.e. your consent resulting from your wish to receive the service. Your data will be processed for the duration of the newsletter, unless you opt out earlier, which will permanently delete your data from the database. Furthermore, you can rectify your data stored in the newsletter database at any time, as well as request its deletion by unsubscribing from the newsletter. You also have the right to data portability contained in Article 20 of the GDPR.
10. Email contact. When you contact us by e-mail, you provide us with your e-mail address as the sender address of the message. In addition, you may also include other personal data in the body of the message. The provision of data is voluntary, but necessary in order to get in touch with us. Your data is processed in this case for the purpose of contacting you, and the legal basis for the processing is Article 6(1)(a) GDPR, i.e. your consent resulting from your wish to contact us. The legal basis for post-contact processing is the legitimate purpose of archiving correspondence for internal purposes (Article 6(1)(c) GDPR). The content of your correspondence may be archived and we are unable to specify when it will be deleted, however, this will be for a maximum period of 5 years. You have the right to request the history of any correspondence you have had with us (if it has been archived) as well as to request its deletion, unless its archiving is justified by our overriding interests.
11. Customer Account. When you create a Customer Account on our Website, you provide us with your e-mail address. This is voluntary, but necessary in order to successfully register a Customer Account. Once you have registered, your data is processed in this case for the purpose of maintaining a Customer Account, and the basis for the processing is Article 6(1)(a) of the GDPR, i.e. your consent resulting from your wish to set it up. Data will be processed for as long as you have a Customer Account, unless you request its deletion beforehand, which will remove your data from the database. You can correct your data assigned to your Customer Account at any time, as well as request their deletion. You also have the right to data portability contained in Article 20 of the GDPR.
§4 Categories of personal data
1. The controller may process the following categories of personal data:
- a. personal data provided in the form when placing an Order in the Online Shop, in particular: e-mail address, telephone number, name and surname, address of residence;
- b. personal data provided in the form when registering a Customer Account, in particular e-mail address, name and surname, company name, VAT ID, contact number, PKD number, address data;
- c. personal data provided for the use of the newsletter; provided when using the contact form; sent by e-mail; or provided when filing complaints, claims or requests, in particular: name and surname; e-mail address; contact telephone number; address [street, house number, apartment number, postal code, town, country], bank account number, NIP numbe;
- d. personal data provided for the purpose of participating in competitions/promotions: name and surname; e-mail address; contact telephone number; address of residence [street, house number, apartment number, postal code, town, country];
- e. other data based in particular on the Customer's activity on the Internet, including that obtained through the Online Shop or other channels of communication with the Customer, using cookies and similar technologies.
§5 Recipients of personal data
1. Your personal data may be processed by our partners and subcontractors, i.e. entities whose services we use to process your data and provide services to you. To the best of our knowledge, all entities to whom we entrust the processing of personal data guarantee the application of the appropriate protection and security measures for personal data required by law.
2. Your personal data may be transferred by the Controller:
- a. to state authorities or other entities authorised by law, in order to fulfil our obligations;
- b. to a limited extent, the Controller's partners may be involved in the processing of personal data, in particular those who technically assist in the smooth running of the Online Shop (e.g. support us in sending e-mails and, in the case of advertising activities, also in marketing campaigns), providers of hosting or ICT services, carriers or intermediaries carrying out the shipment of Orders, entities handling electronic payments or payment card payments in the Online Shop, companies that service the software, support the Controller in marketing campaigns, as well as providers of legal and advisory services and external accountants;
- c. in addition, we may share fully anonymised data (data that cannot identify you) with entities with whom we work.
3. As part of its marketing (advertising) activities, the Controller uses the services of third parties that use cookies, pixels or marketing functions similar to cookies in the Online Shop. The catalogue of these entities is indicated in detail in § 8 of this Policy.
4. Our providers are mainly based in Poland or in other countries of the European Economic Area (EEA) and also, e.g. in the case of Google Analytics, based outside the EEA. Due to the content of the CJEU ruling Schrems II (C-311/18), we have anonymisation of your IP numbers enabled - we do not transfer this data to the USA. Other data sent to Google does not have the characteristics of personal data, i.e. a specific natural person cannot be identified from it.
§6 Archiving of personal data
1. The Controller will only retain your personal data for as long as is necessary for the purposes set out in this Privacy Policy and/or to comply with legal and regulatory requirements. After this period, the Controller will securely delete your personal data
2. We retain the data for the periods indicated below:
Data linked to the sales procedure. | 8 years |
Data for marketing purposes. | In the case of processing based on consent, until the consent is withdrawn. In the case of processing on the basis of a legitimate purpose - until you object. |
Data submitted using the contact form, e-mail. | For a period of 3 years to maintain accountability. |
Opinion data. | In the case of data processing on the basis of consent - until the consent is withdrawn. In the case of processing on the basis of a legitimate purpose - until you object. |
Personal data linked to cookies and similar functions. | Until such files are deleted using the settings of the website / browser / device (whereby the deletion of files is not always the same as the deletion of Personal Data obtained through such files - in which case Personal Data will be deleted until you object). |
Data provided in the course of complaints and other procedures relating to customer claims. | 6 years. |
The remaining category of data (with the exception of data from cookies, about which more in our Cookies Policy). | 2 years. |
3. In any case, personal data will also be stored if legal regulations (e.g. accounting or tax regulations) oblige the Controller to process them; we will store personal data longer in case the Customer has any claims against the Controller, in order for the Controller to assert claims, or in order to assert or defend against third-party claims, for the period of limitation prescribed by law, in particular the Civil Code.
4. Depending on the scope of the personal data and the purposes for which they are processed, they may therefore be stored for different periods. In each case, the longer period of retention of personal data is decisive.
§7 Entitlements, accessing and updating personal data, complaints
In accordance with Article 15 of the DPA, you have the right to obtain information from the Data Controller as to whether your personal data is being processed.
If the Controller processes your personal data, then you have the right to:
- a. access to personal data;
- b. be informed about the purposes of the processing, the categories of personal data processed, the recipients or categories of recipients of that data, the intended period of storage of your data or the criteria for determining that period, your rights under the GDPR and your right to lodge a complaint with a supervisory authority, the source of that data, automated decision-making, including the safeguards applied in connection with the transfer of that data outside the European Union;
- c. obtain a copy of their personal data.
In addition, you may request the rectification of your personal data (Article 16 GDPR), the erasure of your personal data (Article 17 GDPR), object to the processing of your personal data (Article 21 GDPR) and, where technically feasible, request the transfer of the personal data provided to another organisation (Article 20 GDPR).
In relation to the right to be forgotten, the Controller will update or delete your data unless it has a legal obligation to retain it for business purposes or to comply with the law. In some cases, you have the right to request the restriction of the processing of your personal data (Article 18 GDPR). You may also contact the Controller if you have concerns about the collection, storage or use of your personal data.
The Controller shall endeavour to deal promptly with all requests concerning the above-mentioned operations on your personal data, but no later than within 30 days of receiving the request. Due to the complex nature of the request, the Controller has the right to consider your requests in a period exceeding 30 days, of which it will inform you in advance.
The controller aims to handle complaints conclusively, but if you are still dissatisfied with the response you receive, you may lodge a complaint with your local data protection supervisory authority. In Poland, the supervisory authority under the GDPR is the President of the Office for Personal Data Protection.
§8 Processing of personal data by automated means, cookie policy
1. Our Website, like almost all other websites, makes use of cookies, i.e. cookies. This cookie policy applies to both Customers of the Online Shop and Visitors to the Online Shop, i.e. users who browse the content of the Online Shop but do not make purchases.
2. The Cookie Policy is a document which forms an integral part of this Privacy Policy. The content of the Cookie Policy can be found here.
3. The Website also uses functionalities similar to cookies. Accordingly, the individual provisions of the Cookie Policy must be referred to accordingly for these technologies as well.
§9 Changes to the privacy policy
1. This Privacy Policy 2.0. is effective as of 08.03.2023
2. The Controller declares that he has the right to amend this document for important reasons, including:
- a. changes to the applicable legislation, in particular with regard to GDPR, telecommunications law, electronically provided services, affecting the rights and obligations of the Controller or the rights and obligations of the Data Subject;
- b. developments in electronic functionality or services due to advances in Internet technology, including the implementation of new IT, technological or technical solutions on the Website, which affect the scope of this Privacy Policy.
3. The Controller undertakes to inform Users of any changes in good time, allowing them to familiarise themselves with the content of the amended document, e.g. by posting the consolidated text of the Privacy Policy on the homepage of the Website.
4. For users using the newsletter function, if the Controller makes substantial changes to the content of the Privacy Policy, the Controller will inform the Users of these changes by e-mail. In the event of any objections to the change in the Policy, the user has the right to stop using the newsletter by sending a request to unsubscribe from the newsletter or by requesting the deletion of their personal data.
Previous versions of the Privacy Policy:
Privacy Policy 1.0 in force from 15.10.2019 to 08.03.2023r. - download