PRIVACY POLICY – REE – ENGLISH
PRIVACY POLICY OF THE APPLICATION AND THE GDPR
INFORMATION OBLIGATION
REE
TABLE OF CONTENTS:
1. GENERAL PROVISIONS
2. GROUNDS FOR DATA PROCESSING
3. PURPOSE, BASIS, PERIOD AND SCOPE OF DATA PROCESSING IN THE APPLICATION
4. DATA RECIPIENTS IN THE APPLICATION
5. PROFILING IN THE APPLICATION
6. RIGHTS OF DATA SUBJECTS
1) GENERAL PROVISIONS
1. This privacy policy of the Mobile Application is for information
purposes only, which means that it is not
a source of obligations for the Mobile Application Users. The privacy
policy contains primarily rules for
the processing of personal data by the Controller in the Application,
including the grounds, purposes
and scope of personal data processing and the rights of data subjects, as
well as information regarding
the use of cookies and analytical tools in the Application.
2. The Controller of personal data collected via the Application as a
result of the provision of Electronic
Services is the company FASHIONTRADES APS entered into the
Danish National Business Register, ERHVERVSSTYRELSEN, Dahlerups Pakhus
Langelinie Alle 17 2100 København Ø, location: Bredgade 23A, 2. th, 1260
København K, File number X19-DD-40-US , share capital: DKK 40,000.00,
e-mail address:
[email protected] hereinafter referred
to as the “Controller”, which is at the same time the Mobile Application
Service Provider.
3. Personal data in the Application are processed by the Controller in
accordance with the applicable law,
in particular pursuant to Regulation (EU) 2016/679 of the European
Parliament and of the Council of 27
April 2016 on the protection of individuals with regard to the processing
of personal data and on the
free movement of such data and the repeal of Directive 95/46/EC (general
regulation on data
protection) – hereinafter referred to as “GDPR” or the “GDPR Regulation”.
The official text of the GDPR
Regulation:
http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679
4. Using the Mobile Application is voluntary. Similarly, the provision of
personal data by the User using the
Mobile Application is voluntary, subject to two exceptions: (1) entering
into agreements with the
Controller – not providing the data, in cases and to the extent indicated
in the Mobile Application and
in the Regulations of the Mobile Application and this privacy policy,
necessary to conclude and execute
the agreement for the provision of Electronic Services with the Controller,
results in the inability to
conclude this agreement. Providing personal data is in this case a
contractual requirement and if the
data subject wants to conclude a given agreement with the Controller, they
are obliged to provide the
required data. Each time, the scope of data required to conclude the
agreement is previously indicated
on the Mobile Application website and in the Regulations of the Mobile
Application; (2) statutory duties
of the Controller – providing personal data is a statutory requirement
resulting from the generally
applicable legal provisions imposing the obligation to process personal
data on the Controller (e.g. data
processing for the purpose of keeping tax or accounting books) and failure
to provide them will prevent
the Controller from performing these duties.
5. The Controller takes special care to protect the interest of persons
whose personal data they process,
and in particular is responsible and ensures that the data collected by
them is: (1) processed in
accordance with the law; (2) collected for specified, legitimate purposes
and is not subject to further
processing incompatible with those purposes; (3) factually correct and
adequate in relation to the
purposes for which it is processed; (4) stored in a form that permits the
identification of persons whom
the data concerns, for not longer than it is necessary to achieve the
purpose of processing; and (5)
processed in a manner that ensures adequate security of personal data,
including protection against
unauthorized or unlawful processing and accidental loss, destruction or
damage, using appropriate
technical or organizational measures.
6. Taking into account the nature, scope, context and purposes of the
processing as well as the risk of
violating the rights or freedoms of natural persons with different
likelihood and seriousness of risk, the
Controller uses appropriate technical and organizational measures for
processing in accordance with
this Regulation and is able to prove it. These measures shall be reviewed
and updated where necessary.
The Controller uses technical measures to prevent the acquisition and
modification of personal data
sent electronically by unauthorized persons.
7. All words, expressions and acronyms appearing in this privacy policy and
starting with a capital letter
(e.g. Service Provider, Website, Electronic Service) should be understood
in accordance with their
definition contained in the Regulations of the Mobile Application available
on the Mobile Application
website.
2) GROUNDS FOR DATA PROCESSING
1. The Controller is authorized to process personal data in cases where –
and to the extent to which – at
least one of the following conditions is met: (1) the data subject has
consented to the processing of their
personal data in one or more specific purposes; (2) processing is necessary
for the performance of an
agreement to which the data subject is party or for taking action at the
request of the data subject prior
to the conclusion of the agreement; (3) processing is necessary to fulfill
the legal obligation of the
Controller; or (4) processing is necessary for purposes arising from
legitimate interests pursued by the
Controller or by a third party, except when the interests or fundamental
rights and freedoms of the data
subject, requiring the protection of personal data, prevail over those
interests, in particular when the
data subject is a child.
2. Processing of personal data by the Controller requires each time at
least one of the grounds indicated
in point 2.1 of the privacy policy. The specific grounds for processing
personal data of the Mobile
Application Users by the Controller are indicated in the next section of
the privacy policy – in relation to
a specific purpose of personal data processing by the Controller.
3) PURPOSE, GROUNDS, PERIOD AND SCOPE OF DATA PROCESSING IN THE
APPLICATION
1. Each time, the purpose, grounds, period, scope and recipients of
personal data processed by the
Controller results from actions taken by a particular User in the
Application.
2. The Controller may process personal data in the Application for the
following purposes, on the following
grounds, in the following period and scope:
The purpose of data
processing Legal grounds for data processing The period of data storage
Execution of the
Agreement for the
provision of Electronic
Services or taking
action at the request of
the data subject prior
to concluding the
abovementioned
agreements
Article 6 paragraph 1b) of the GDPR
Regulation (execution of the agreement)
– processing is necessary for the
execution of the agreement to which the
data subject is a party, or for taking
actions at the request of the data subject,
before concluding the agreement
Data is stored for the time necessary
for execution, termination or
expiration of the concluded
Agreement for the provision of
Electronic Services.
Direct marketing Article 6 paragraph 1f) of the GDPR
Regulation (legitimate interest of the
Controller) – processing is necessary for
the purposes resulting from the
legitimate interests of the Controller –
consisting in caring for the interests and
good image of the Controller, Website
and the quest to provide Electronic
Services
The data is stored for the duration of
the legitimate interest pursued by
the Controller, but not longer than
during the period of limitation of the
Controller’s claims in relation to the
data subject, on account of business
activity conducted by the Controller.
The limitation period is defined by
the law, in particular the Civil Code
(the basic period of limitation for
claims related to conducting business
is three years).
The Controller cannot process data
for direct marketing purposes in case
the data subject clearly and
effectively opposes to it.
Marketing Article 6 paragraph 1a) of the GDPR
Regulation (consent) – the data subject
has consented to the processing of their
personal data for the marketing purposes
by the Controller
The data is stored until the data
subject withdraws the consent for
further processing of their data for
this purpose.
Expressing the opinion
by the Customer
Article 6 paragraph 1a) of the GDPR
Regulation – the data subject has
consented to the processing of their
personal data in order to express an
opinion
The data is stored until the data
subject withdraws their consent for
further processing of their data for
this purpose.
Book-keeping Article 6 paragraph 1c) of the GDPR
Regulation in connection with the art. 74
par. 2 of the Accounting Act dated 30
January 2018 (Journal of Laws of 2018,
item 395) – the processing is necessary to
fulfill the legal obligation of the Controller
The data is stored for the period
required by law, obligating the
Controller to store accounting books
(5 years, counting from the beginning
of the year following the financial
year to which the data relate).
Establishment, redress
or defense of claims
that may be filed by the
Controller or that may
be filed against the
Controller
Article 6 paragraph 1f) of the GDPR
Regulation (legitimate interest of the
Controller) – processing is necessary for
purposes arising from the legitimate
interests of the Controller – that consist
in establishment, redress or defense of
The data is stored for the duration of
the legitimate interest pursued by
the Controller, but not longer than
for the period of limitation of claims
which may be filed by the Controller
15
claims which may be filed by the
Controller or which may be filed against
the Controller
(the basic limitation period for claims
against the Controller is six years).
The use of the Website
and ensuring its proper
operation
Article 6 paragraph 1f) of the GDPR
Regulation (legitimate interest of the
Controller) – processing is necessary for
the purposes arising from the legitimate
interests of the Controller, which consist
in running and maintaining the
Application
The data is stored for the duration of
the legitimate interest pursued by
the Controller, but not longer than
for the period of limitation of the
Controller’s claims in relation to the
data subject, on account of business
activity conducted by the Controller.
The limitation period is defined by
the law, in particular the Civil Code
(the basic period of limitation for
claims related to conducting business
activity is three years).
Keeping statistics and
analysis of traffic in the
Application
Article 6 paragraph 1f) of the GDPR
Regulation (legitimate interest of the
Controller) – processing is necessary for
the purposes arising from the legitimate
interests of the Controller, which consist
in keeping statistics and analyzing traffic
in the Application in order to improve the
functioning and extending the reach of
the provided Electronic Services
The data is stored for the duration of
the legitimate interest pursued by
the Controller, but not longer than
for the period of limitation of the
Controller’s claims in relation to the
data subject, on account of the
business activity conducted by the
Controller. The limitation period is
defined by the law, in particular the
Civil Code (the basic period of
limitation for claims related to
conducting the business activity is
three years).
4) DATA RECIPIENTS IN THE APPLICATION
1. For the proper functioning of the Mobile Application, including for the
execution of the concluded Sale
Agreements, the Controller must use the services of external entities (such
as, for example, software
supplier, payment service provider). The Controller uses only the services
of such processors who provide
sufficient guarantees of implementing appropriate technical and
organizational measures, so that the
processing meets the requirements of the GDPR Regulation and protects the
rights of the data subjects.
2. The transfer of data by the Controller does not occur in each case and
not to all recipients or categories of
recipients indicated in the privacy policy – the Controller provides data
only when it is necessary to perform
a given purpose of personal data processing and only to the extent
necessary to achieve it.
3. Personal data may be transferred by the Controller to a third country,
whereby the Controller assures that
the data will be transferred only to the country providing an adequate
level of protection – compliant with
the GDPR Regulation, and the data subject has the opportunity to obtain
copies of their data. The Controller
transfers collected personal data only in the case and to the extent
necessary to achieve a given purpose of
data processing in accordance with this privacy policy.
4. Personal data of the Mobile Application Users and Users may be
transferred to the following recipients or
categories of recipients:
a. entities handling electronic payments or payment cards – in the case of
a Customer who uses the
electronic payment method or payment card in the Application, the
Controller provides the
Customer’s personal data to a selected entity handling the above payments
in the Application on
behalf of the Controller to the extent necessary to handle payments made by
the Customer,
b. service providers supplying the Controller with technical, IT and
organizational solutions enabling the
Controller to conduct business activities, including the Mobile Application
and Electronic Services
provided through it (in particular, the software provider for running the
Mobile Application, e-mail
and hosting provider and software provider) to manage the company and
provide technical support
to the Controller) – the Controller provides the collected personal data of
the Customer to a selected
supplier acting on their behalf only in the case and to the extent
necessary to achieve a given purpose
of data processing in accordance with this privacy policy.
c. providers of accounting, legal and advisory services providing the
Controller with accounting, legal or
advisory support (in particular accounting offices, law firms or debt
collection companies) – the
Controller provides the collected personal data of the Customer to a
selected supplier acting on their
behalf only in the case and to the extent necessary achieve a given purpose
of data processing in
accordance with this privacy policy.
5) PROFILING IN THE APPLICATION
1. The GDPR Regulation imposes on the Controller an obligation to inform
about automated decision making,
including profiling, referred to in art. 22 par. 1 and 4 of the GDPR
Regulation, and – at least
in these cases – relevant information about the rules for making decisions,
as well as the significance
and envisaged consequences of such processing for the data subject. With
this in mind, the
Controller provides information on possible profiling in this section of
the privacy policy.
2. The Controller may use profiling in the Application for direct marketing
purposes, but the decisions
made on its basis by the Controller do not relate to the conclusion or
refusal to conclude the Sales
Agreement or the possibility of using the Electronic Services in the
Application. The result of the use
of profiling in the Application may be e.g. a reminder about unfinished
activities in the Application,
sending a service proposal that may correspond to the person’s interests or
preferences. Despite
profiling, a given person makes a free decision whether they want to make
use of better conditions
in the Application.
3. Profiling in the Application consists in automatic analyzing or
forecasting the behavior of a given
person on the website of the Mobile Application, e.g. through the analysis
of previous actions taken
in the Application. The prerequisite for such profiling is the Controller’s
possession of personal data
of a given person in order to be able to send them, e.g. a discount code.
4. The data subject has the right not to be subject to a decision which is
based solely on automated
processing, including profiling, and produces legal effects in relation to
this person or similarly affects
this person.
6) THE RIGHTS OF DATA SUBJECTS
1.
Right of access, rectification, restriction, deletion or transfer
– the data subject has the right to
request the Controller to provide them with the access to their personal
data, rectify, delete them
(“the right to be forgotten”) or limit their processing and has the right
to object to processing and
the right to transfer their data. Detailed conditions for the exercise of
the abovementioned rights
are indicated in art. 15-21 of the GDPR Regulation.
2. The right to withdraw consent at any time – a person
whose data is processed by the Controller on
the basis of their consent (pursuant to Article 6 paragraph 1a) or art. 9
par. 2a) of the GDPR
Regulation) has the right to withdraw consent at any time without effect on
the lawfulness of the
processing, which was made on the basis of the consent before its
withdrawal.
3. The right to lodge a complaint to the supervisory body
– a person whose data is processed by the
Controller has the right to lodge a complaint to the supervisory body in
the manner and mode
specified in the provisions of the GDPR Regulation and Polish law, in
particular the Act on the
Protection of Personal Data. The supervisory body in Poland is the
President of the Office for
Personal Data Protection.
4. Right to object – the data subject has the right to
object at any time – for reasons related to their
special situation – to the processing of their personal data based on art.
6 par. 1e) (task in public
interest) or f) (legitimate interest of the Controller), including
profiling, on the basis of these
provisions. In such a case, the Controller may no longer process such
personal data unless the
Controller proves that there are valid legal grounds for processing that
override the interests, rights
and freedoms of the data subject or the grounds for establishment, redress
or defense of claims.
5. Right to object related to direct marketing – if
personal data are processed for direct marketing
purposes, the data subject has the right to object to the processing of
their personal data for such
marketing purposes at any time, including profiling, to the extent that the
processing is related to
such direct marketing.
6. In order to exercise the rights referred to in this section of the
privacy policy, you can contact the
Controller by sending a relevant message in writing or by e-mail to the
Controller’s address indicated
in the beginning of the privacy policy or by using the contact form
available on the website of the
Mobile Application.