We kindly inform you that the administrator of your personal data is Whites Sp z.o.o. ul. Grochowska 306/308, 03-841 Warsaw, holding Tax Identification Number: 113-282-73-23, REGON 142824892, registered in the District Court for the Capital City of Warsaw XIII Commercial and Registration Department under number 0000379076, share capital of 5000 PLN (hereinafter referred to as "WHITES"). Contact on personal data protection is possible at the following e-mail address: firstname.lastname@example.org
II. Purposes and basis for processing personal data
In order to provide services in accordance with your business profile, WHITES processes your personal data for various purposes, but always in accordance with the law. Below you will find the listed purposes of the processing of personal data together with the legal basis.
The regulation, which is the source of rights and obligations of entities processing personal data and entities whose data are processed is mainly Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (commonly referred to as "GDPR") and the Act on the protection of personal data of 10 May 2018.
In order to deliver services provided by WHITES, we process such personal data as
name and surname,
tax number (in case of purchases as an entrepreneur).
The legal basis for such data processing is Article 6(1)(b) of the GDPR, which allows personal data to be processed if they are necessary for the performance of a contract or for taking steps to conclude a contract.
In order to answer the questions by the address email@example.com, we process such personal data as:
The legal basis for such processing is Article 6(1)(b) of the GDPR, which allows for the processing of personal data if they are necessary for the performance of a contract or for taking steps to conclude a contract.
In order to consider a complaint, we process personal data such as the following
name and surname,
alternatively, the address of residence - in the case of a refund or written correspondence,
bank account number - in the case of a refund.
The legal basis for such processing is Article 6(1)(b) of the GDPR, which allows personal data to be processed if they are necessary for the performance of a contract or for taking steps to conclude a contract.
For the purpose of sending e-mail notifications containing commercial information, we process such personal data as
The legal basis for such processing is Article 6(1)(a) of the GDPR, which allows the processing of personal data if the individual has given his prior consent; second, Article 6(1)(f) of the GDPR, which allows the processing of personal data where this is in accordance with his legitimate interest (in this case WHITES' interest is to inform the client of its new own products and services);
In order to meet the obligations arising from the tax law, such as e.g. storing accounting records for 5 years, we process such personal data as
name and surname,
address of residence,
The legal basis for such processing is Article 6(1)(c) of the GDPR, which allows for the processing of personal data if such processing is necessary for the fulfilment of the controller's legal obligations;
In order to establish the registers and records related to the GDPR, including e.g. the register of customers who have objected in accordance with the GDPR, we shall process the following personal data
name and surname,
because, firstly, the GDPR regulations impose certain documentary obligations on us to demonstrate compliance and accountability, and, secondly, if you object to, for example, the processing of your personal data for marketing purposes, we need to know who we do not use direct marketing against because you do not wish to do so.
The legal basis for such processing is, firstly, Article 6(1)(c) of the GDPR, which allows processing of personal data if such processing is necessary for the fulfilment of the controller's legal obligations; secondly, Article 6(1)(f) of the GDPR, which allows processing of personal data if the controller thereby pursues a legitimate interest (in this case, WHITES' interest is to have knowledge of the persons who exercise their rights under the GDPR);
In order to establish, investigate or defend against claims, we process such personal data as:
name and surname,
address of residence (if provided),
The legal basis for such processing is Article 6(1)(f) of the GDPR, which allows for the processing of personal data if the Personal Data Controller thereby pursues a legitimate interest (in this case WHITES' interest is to have personal data in order to establish, enforce or defend against claims, including those of customers and third parties);
For analytical purposes, i.e. to study and analyse the activity on the WHITES website, we process personal data such as the following
the date and time of your visit on the website,
type of operating system,
the type of web browser used to browse the website,
time spent on the website,
the subpages visited,
a subpage where the contact form has been filled in.
The legal basis for such processing is Article 6(1)(f) of the GDPR, which allows personal data to be processed if the Administrator of Personal Data thus pursues a legitimate interest (in this case WHITES' interest is to know the activity of the clients on the website whites.agency);
Cookies perform dozens of most often useful functions on the website, which we will try to describe below (if the information is insufficient, please contact us):
ensuring security - cookies are used to authenticate users and prevent unauthorized use of the Service. Therefore they are used to protect the personal data of the user against unauthorized access;
influence on the processes and efficiency of using the website - cookies are used to make the website operate smoothly and to make it possible to use the functions available on the website, which is possible, among other things, thanks to saving settings between subsequent visits on the website. Thanks to them, it is possible to efficiently navigate the website and individual subpages;
status of the session - cookies often store information about how visitors use the website, e.g. which subpages they display most often. They also make it possible to identify errors displayed on some subpages. Cookies used to record the so-called "session status" help to improve services and increase the comfort of browsing;
establishing statistics - cookies are used to analyze how visitors use the website (how many people open the website, how much time they spend on it, which content attracts the most interest, etc.). In this way, the website can be continuously improved and adapted to the users' preferences. We use Google's tracking and tracing tools, such as Google Analytics, to help us track your activity and compile statistics; in addition to reporting on website usage statistics, Google Analytics may also use Google Pixel Analytics, along with some of the cookies described above, to help you view more relevant content on Google services (such as Google Search) and across the web;
IV. Right to withdraw consent
If the processing of personal data is based on consent, you may revoke this consent at any time at your own discretion.
If you would like to withdraw your consent to the processing of personal data, this is sufficient for this purpose:
send an e-mail directly to WHITES at firstname.lastname@example.org
If your personal data have been processed on the basis of your consent, the withdrawal of your consent does not make the processing of your personal data illegal until then. In other words, we have the right to process your personal data until the withdrawal of your consent and its withdrawal does not affect the lawfulness of the previous processing.
V. Requirement to provide personal data
The provision of any personal data is voluntary and is at your discretion. However, in some cases, the provision of certain personal data is necessary to meet your expectations regarding the use of the services.
In order to conclude a cooperation agreement by WHITES, it is necessary to provide your name, surname, telephone number and e-mail address - without this we are not able to take steps to conclude the agreement or the agreement itself.
In order for you to receive an invoice for services, it is necessary to provide all data required by tax law, i.e. name and surname or company name, address of residence or registered office, VAT number - without this we are not able to issue an invoice correctly.
In order to be able to contact you by phone in matters related to the execution of the transaction, it is necessary to provide your telephone number - without this we are unable to contact you by phone.
VI. Automated decision making and profiling
Please be advised that we do not make automated decisions, including those based on profiling. The content of the inquiry, which is sent via the contact form, is not subject to evaluation by the computer system. The proposed price for the goods is in no way the result of an evaluation by any information system.
VII. Recipients of personal data
Like most entrepreneurs, in our business we use the assistance of other entities, which often involves the need to transfer personal data. Therefore, if necessary, we pass on your personal data to those cooperating with us who provide services for WHITES, a legal advisory company (in case of complicated complaints), a hosting company, as well as an insurance company (in case there is a need to repair the damage).
In addition, it may be the that, for example, on the basis of a relevant legal provision or a decision of a competent authority, we may have to pass on your personal data to other entities, whether public or private. Therefore, it is extremely difficult for us to predict who may request personal data. However, for our part, we assure you that we analyse every case of a request to disclose personal data very carefully and very thoroughly, so as not to inadvertently pass on the information to an unauthorized person.
VIII. Transfer of personal data to third countries
Like most entrepreneurs, we use various popular services and technologies offered by entities such as Facebook, Microsoft, Google. These companies are established outside the European Union and are therefore treated as third countries under the terms of the GDPR regulations.
GDPR imposes certain restrictions on the transfer of personal data to third countries because, since European rules do not apply in principle, the protection of personal data of EU citizens may unfortunately be insufficient. Therefore, every controller of personal data is obliged to determine the legal basis for such a transfer.
For our part, we assure you that when using our services and technology, we transfer personal data only to U.S. entities and only to those that have joined the Privacy Shield Program, pursuant to the European Commission's Implementing Decision of 12 July 2016. - Further information can be found on the European Commission's website at https://ec.europa.eu/info/law/law-topic/dataprotection/data-transfers-outside-eu/eu-us-privacy-shield_en. Entities that have joined the Privacy Shield Program warrant that they will comply with the high standards of personal data protection in the European Union, and that the use of their services and technologies to process personal information is lawful.
In particular, if you are concerned about the transfer of your personal data, we will provide you at any time with further clarification regarding this issue.
You have the right at any time to obtain a copy of the personal data transferred to a third country.
IX. Period of processing personal data
According to the applicable legal regulations, we do not process your personal data "indefinitely", but for the time necessary to achieve the set goal. After this period, your personal data will be irretrievably deleted or destroyed.
In case that we do not need to perform any operations on your personal data other than storing them (e.g. when we store the content of the contract for the purpose of defending against claims), we will additionally secure them by encrypting the drives on which the personal data are stored until they are permanently deleted or destroyed. Without an additional key, it is impossible to gain access to the data and therefore such information becomes completely inaccessible to unauthorised persons.
We kindly inform you that we process your personal data for a period of time with respect to the individual processing periods of your personal data:
The duration of the contract - in the regard to the personal data processed for the purpose of concluding and executing the contracts of sale;
3 years or 10 years + 1 year - in the regard to personal data processed for the purpose of establishing, asserting or defending claims (the length of the period depends on whether both parties are entrepreneurs or not);
5 years - in relation to personal data related to the fulfilment of tax law obligations;
until the withdrawal of consent or the achievement of the purpose of the processing, but no longer than for 5 years - with regard to personal data processed on the basis of consent;
until the effective objection is raised or the purpose of the processing is achieved, however, not longer than for 5 years - with regard to personal data processed on the basis of a legitimate interest of the Personal Data Administrator or for marketing purposes;
To improve the process of deletion or destruction of personal data we count periods in years from the end of the year in which we began processing personal data. Separate counting of the deadline for each concluded contract would involve significant organisational and technical difficulties, as well as significant financial outlays, therefore, setting one date for deleting or destroying personal data allows us to manage this process more efficiently. Of course, if you exercise your “right to forget” such situations are considered individually.
An additional year related to the processing of personal data collected for the purposes of contract performance is dictated by the fact that you may hypothetically submit a claim just before the expiry of the statute of limitations, the claim may be delivered with a significant delay or you may erroneously determine the statute of limitations for your claim.
X. Rights of data subjects
We kindly inform you that you have the right to:
access to your personal data;
correction of personal data;
deletion of personal data;
limitation of the processing of personal data;
objection to the processing of personal data;
transfer of personal data.
We respect your rights under data protection laws and we try to facilitate their implementation as much as possible.
We would like to point out that these rights are not absolute and therefore, in certain situations, we may legally deny you the right to exercise them. However, if we refuse to validate the request, it is only after careful analysis and only if the refusal to validate the request is necessary.
In the regard to the right to object, we explain that you have the right at any time to object to the processing of personal data on the basis of the legitimate interest of the Personal Data Controller (listed in point II) in relation to your particular situation. However, you must keep in mind that under the law, we may refuse to accept an objection if we prove that:
there are the legitimate basis for processing that take precedence over your interests, rights and freedoms, or
there are the basis for establishing, pursuing or defending claims.
In addition, you may object at any time to the processing of your personal data for marketing purposes. In such a case, we will cease processing for this purpose once we have received your objection.