Privacy Policy
WEBSITE PRIVACY POLICY
WWW.CHRISTINACOSMETICS.COM.PL
§ 1. DEFINITIONS
1.1. Administrator – TOP COSMETICS EUROPE Spółka z ograniczoną odpowiedzialnością with its registered office in Warsaw, at ul. Marszałkowska 126/134, 00-008 Warsaw, RP, NIP 5213980858, REGON 52285606200000 (hereinafter referred to as the Company).
1.2. Personal data – all information about a natural person identified or identifiable through one or more specific factors determining the physical, physiological, genetic, mental, economic, cultural or social identity, including device IP, location data, internet identifier and information collected through cookies and other similar technology.
1.3. Policy – this Privacy Policy.
1.4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. These rights are regulated by Articles 15 – 22 of the EU GDPR Act. They include: The right to information (Article 15 of the EU GDPR), Right to erasure (Article 17 EU GDPR), Right to rectification (Article 16 EU GDPR), Right to data portability (Article 20 EU GDPR), Right to restriction of data processing (Article 18 EU GDPR), Right to object to data processing (Article 21 EU GDPR).
1.5. Website – the website run by the Administrator at www.christinacosmetics.com.pl
1.6. User – any natural person visiting the Website or using one or more services or functionalities described in the Policy.
§ 2. DATA PROCESSING IN CONNECTION WITH THE USE OF THE SERVICE
2.1. The processing of the User's personal data is carried out in accordance with the provisions of the EU GDPR and all other applicable data protection regulations. The legal basis for data processing results in particular from Article 6 of the EU GDPR.
2.2. The consent expressed by the User also constitutes a regulation concerning the permission in the context of data protection regulations. For this purpose, the Administrator will inform the User about the purposes of data processing and their right to object. If the consent also relates to the processing of special categories of personal data, the Administrator will expressly draw attention to this in the consent, Article 88 paragraph 1 of the EU GDPR.
2.3. In connection with the User's use of the Website, the Administrator collects data to the extent necessary to provide the individual services offered, as well as information about the User's activity on the Website.
§ 3. PURPOSES AND LEGAL BASIS FOR DATA PROCESSING ON THE WEBSITE
USING THE SERVICE
3.1. Personal data of all persons using the Website (including IP address or other identifiers and information collected via cookies or other similar technologies) who are not registered Users (i.e. persons who do not have a profile on the Website) are processed by the Administrator:
3.1.1. in order to provide services electronically in the scope of making the content collected on the Website available to Users, including:
- a) to the extent necessary to establish, shape the content, change, terminate and properly implement the services provided electronically and fulfill orders placed by the User;
- b) in order to fulfill orders placed by the User for products in the assortment of the Website;
- c) in order to consider complaints submitted by Users and to return benefits in the event of withdrawal from the contract (return of goods) – then the legal basis for processing is the necessity of processing for the performance of the contract (Article 6, paragraph 1, letter b) of the GDPR);
3.1.2. for analytical and statistical purposes – then the legal basis for processing is the legitimate interest of the Administrator (Article 6, paragraph 1, letter f) of the GDPR) consisting in conducting analyses of Users’ activities, as well as their preferences in order to improve the functionalities used and the services provided;
3.1.3. in order to possibly determine and pursue claims or defend against them – the legal basis for processing is the legitimate interest of the Administrator (Article 6 paragraph 1 letter f of the GDPR) consisting in the protection of its rights;
3.1.4. for marketing purposes of the Administrator and its trusted partners, by sending a newsletter and via SMS/MMS – the legal basis for processing is the User's consent (Article 6, paragraph 1, letter a) of the GDPR).
3.1.5. for the marketing purposes of the Administrator, including the presentation of offers and products on the Website related to the provision of services by electronic means – the legal basis for processing is a legitimate interest (Article 6, paragraph 1, letter f) of the GDPR). Detailed principles of personal data processing for marketing purposes are described in the "MARKETING" section.
3.2. User activity on the Website, including their personal data, is recorded in system logs (a special computer program used to store a chronological record containing information about events and activities concerning the IT system used to provide services by the Administrator). Information collected in logs is processed primarily for purposes related to the provision of services. The Administrator also processes it for technical, administrative purposes, for the purposes of ensuring the security of the IT system and managing this system, as well as for analytical and statistical purposes - in this respect, the legal basis for processing is the legitimate interest of the Administrator (Article 6, paragraph 1, letter f of the GDPR).
REGISTRATION ON THE SERVICE
3.3. Persons who register on the Service are asked to provide data necessary to create and manage an account. In order to facilitate the service, the User may provide additional data, thereby expressing consent to their processing. Such data may be deleted at any time. Providing data marked as mandatory is required to set up and maintain an account, and failure to provide it results in the inability to set up an account. Providing the remaining data is voluntary.
3.4. Personal data are processed:
3.4.1. in order to provide services related to maintaining and servicing an account on the Website – the legal basis for processing is the necessity of processing for the performance of the contract (Article 6, paragraph 1, letter b of the GDPR), and in the scope of data provided optionally – the legal basis for processing is consent (Article 6, paragraph 1, letter a of the GDPR);
3.4.2. for analytical and statistical purposes – the legal basis for processing is the legitimate interest of the Administrator (Article 6, paragraph 1, letter f of the GDPR) consisting in conducting analyses of Users’ activity on the Website and the manner of using the account, as well as their preferences in order to improve the functionalities used;
3.4.3. in order to determine and pursue claims or defend against them – the legal basis for processing is the legitimate interest of the Administrator (Article 6, paragraph 1, letter f of the GDPR) consisting in the protection of its rights.
3.4.4. for marketing purposes of the Administrator and other entities – the principles of processing personal data for marketing purposes are described in the "MARKETING" section.
3.5. You can also log in to your account on the Service via social media (Facebook, Instagram, etc.). In such a case, the Service will download from the User's account on the social media only the data necessary for registration and account management. By changing the plugin settings yourself, the User can easily extend the scope of downloaded data to include data that may be useful when using the account functionality on the Service.
3.6. If the User places any personal data of other people on the Website (including their name, address, telephone number or e-mail address), they may do so only if they do not violate the provisions of applicable law and the personal rights of such people.
PLACING ORDERS (USING PAID SERVICES ON THE WEBSITE)
3.7. Placing an order (purchase of goods or services) by the Service User involves the processing of his/her personal data. Providing data marked as mandatory is required in order to accept and process the order, and failure to provide it results in the lack of its execution. Providing the remaining data is optional.
3.8. Personal data are processed:
3.8.1. in order to fulfil the placed order – the legal basis for processing is the necessity of processing for the performance of the contract (Article 6, paragraph 1, letter b of the GDPR); in the scope of data provided optionally, the legal basis for processing is consent (Article 6, paragraph 1, letter a of the GDPR);
3.8.2. in order to fulfil the statutory obligations incumbent on the Controller, resulting in particular from tax and accounting regulations – the legal basis for processing is the legal obligation (Article 6, paragraph 1, letter c of the GDPR);
3.8.3. for analytical and statistical purposes – the legal basis for processing is the legitimate interest of the Administrator (Article 6, paragraph 1, letter f of the GDPR) consisting in conducting analyses of Users’ activity on the Website, as well as their shopping preferences in order to improve the functionalities used;
3.8.4. in order to determine and pursue claims or defend against them – the legal basis for processing is the legitimate interest of the Administrator (Article 6, paragraph 1, letter f of the GDPR) consisting in the protection of its rights.
3.8.5. for purposes related to satisfaction surveys, in particular by sending e-mails with a request to complete a satisfaction survey – the legal basis for processing is the legitimate interest of the Administrator (Article 6, paragraph 1, letter f of the GDPR) consisting in maintaining high quality of service and the level of Customer satisfaction with the offered products and services.
CONTACT FORMS
3.9. The Administrator provides the possibility of contacting him using electronic contact forms. Using the form requires providing personal data necessary to contact the User and respond to the inquiry. The User may also provide other data to facilitate contact or handling the inquiry. Providing data marked as mandatory is required in order to accept and handle the inquiry, and failure to provide them results in the inability to handle it. Providing the remaining data is voluntary.
3.10. Personal data are processed:
3.10.1. in order to identify the sender and process their inquiry sent via the provided form – the legal basis for processing is the necessity of processing for the performance of the service provision agreement (Article 6, paragraph 1, letter b of the GDPR);
3.10.2. for analytical and statistical purposes – the legal basis for processing is the legitimate interest of the Administrator (Article 6, paragraph 1, letter f of the GDPR) consisting in maintaining statistics of inquiries submitted by Users via the Website in order to improve its functionality.
3.10.3 for purposes related to satisfaction surveys, in particular by sending e-mails with a request to complete a satisfaction survey – the legal basis for processing is the legitimate interest of the Administrator (Article 6, paragraph 1, letter f of the GDPR) consisting in maintaining high quality of service and the level of Customer satisfaction with the offered products and services.
§ 4. MARKETING
4.1. The Administrator processes the personal data of Users in order to carry out marketing activities, which may consist of:
4.1.1. displaying marketing content to the User that is not tailored to their preferences (contextual advertising);
4.1.2. displaying marketing content to the User that corresponds to his or her interests (behavioral advertising);
4.1.3. sending e-mail and SMS/MMS notifications about interesting offers or content, which in some cases contain commercial information;
4.1.4. conducting other types of activities related to the direct marketing of goods and services (sending commercial information by electronic means and telemarketing activities);
4.2. In order to carry out marketing activities, the Administrator uses profiling in some cases. This means that thanks to automatic data processing, the Administrator assesses selected factors relating to natural persons in order to analyze their behavior or create a forecast for the future.
CONTEXTUAL ADVERTISING
4.3. The Administrator processes the personal data of Users for marketing purposes in connection with directing contextual advertising to Users (i.e. advertising that is not tailored to the User's preferences). The processing of personal data then takes place in connection with the implementation of the legitimate interest of the Administrator (Article 6 paragraph 1 letter f of the GDPR).
BEHAVIORAL ADVERTISING
4.4. The Administrator and its trusted partners process the personal data of Users, including personal data collected via cookies and other similar technologies, for marketing purposes in connection with the targeting of behavioral advertising to Users (i.e. advertising that is tailored to the User's preferences).
NEWSLETTER
4.5. The Administrator provides the newsletter service on the principles specified in the regulations to persons who have provided their e-mail address for this purpose. Providing data is required in order to provide the newsletter service, and failure to provide it results in the inability to send it.
4.6. Personal data are processed:
4.6.1. in order to provide the newsletter service, which includes sending marketing content – the legal basis for processing is the User’s consent to receive it (Article 6, paragraph 1, letter a of the GDPR);
4.6.2. for analytical and statistical purposes – the legal basis for processing is the legitimate interest of the Administrator (Article 6, paragraph 1, letter f) of the GDPR) consisting in conducting analyses of Users’ activity on the Website in order to improve the functionalities used;
4.6.3. in order to possibly determine and pursue claims or defend against them – the legal basis for processing is the legitimate interest of the Administrator (Article 6, paragraph 1, letter f) of the GDPR). The User may unsubscribe from receiving the newsletter at any time. They may contact the Administrator by phone at +48 512 833 033 or by sending an e-mail to info@christinacosmetics.pl . The User may also unsubscribe by clicking "Unsubscribe" directly from the newsletter message they received and by making the appropriate settings in the Customer Account.
DIRECT MARKETING
4.7. The User's personal data may also be used by the Administrator to send marketing content to him/her via various channels, i.e. via e-mail or MMS/SMS. Such actions are taken by the Administrator only if the User has given consent to them, which he/she may withdraw at any time.
4.8. If we process Users' personal data for direct marketing purposes, they have the right to object to such processing at any time without giving reasons. This also applies to profiling, to the extent that it is related to direct marketing. If Users object to the processing of personal data for direct marketing purposes, we will no longer process their personal data for these purposes. The objection can be submitted free of charge and in any form, if possible to info@christinacosmetics.pl. In the event that we process Users' data to protect legitimate interests, they may object to such processing at any time for reasons arising from their particular situation. This also applies to profiling based on these provisions. We will then no longer process Users' personal data, unless we prove that there are legitimate grounds for processing that outweigh the interests, rights and freedoms of the Users, and the processing serves to assert, enforce or defend legal claims.
§ 5. SOCIAL MEDIA SITES
5.1. The Administrator processes personal data of Users visiting the Administrator's profiles maintained in social media (Facebook, Instagram). This data is processed solely in connection with maintaining the profile, including for the purpose of informing Users about the Administrator's activity and promoting various types of events, services and products, as well as for the purpose of communicating with users via functionalities available in social media. The legal basis for the processing of personal data by the Administrator for this purpose is its legitimate interest (Article 6, paragraph 1, letter f of the GDPR) consisting in promoting its own brand and building and maintaining a community associated with the brand.
§ 6. COOKIES AND SIMILAR TECHNOLOGY
7.1. Cookies are small text files installed on the device of the User browsing the Service. Cookies collect information that facilitates the use of the Service - e.g. by remembering the User's visits to the Service and the actions they take. They are saved on the User's end device (computer, smartphone, tablet, etc.). By saving these files on the device, it is possible, among other things, to remember login data, so that the User will not have to enter the login and password every time. These files remember the goods added to the basket or adapt the content of the page to the User's interests. Thanks to cookies, it is possible to collect statistical data of the Service, which allows us to develop the Service in accordance with the preferences of our Customers.
7.2. If the User does not agree to the storage of cookies on their device, they should configure their browser settings accordingly or delete the saved cookies from the browser's memory each time they use the service. It should be noted that the use of restrictions on the storage of cookies may make it difficult or impossible to use the Service.
7.3. In order to consent to the storage of cookies, you must express your consent visible at the bottom of the Website.
7.4. The service collects information on geolocation, i.e. the Administrator verifies from what location (country, province and town) the User places the order.
"SERVICE" COOKIES
7.5. The Administrator uses so-called service cookies primarily to provide the User with services provided electronically and to improve the quality of these services. In connection with this, the Administrator and other entities providing analytical and statistical services to the Administrator use cookies, storing information or accessing information already stored in the User's telecommunications terminal device (computer, telephone, tablet, etc.). Cookies used for this purpose include:
7.5.1. cookies with data entered by the User (session identifier) for the duration of the session (user input cookies);
7.5.2. authentication cookies used for services that require authentication for the duration of the session (authentication cookies);
7.5.3. cookies used to ensure security, e.g. those used to detect authentication abuse (user centric security cookies);
7.5.4. multimedia player session cookies (e.g. flash player cookies), for the duration of the session (multimedia player session cookies);
7.5.5. persistent cookies used to personalize the User interface for the duration of the session or slightly longer (user interface customization cookies),
7.5.6. cookies used to monitor website traffic, i.e. data analytics, including Google Analytics cookies (these are files used by Google to analyze how the User uses the Service, to create statistics and reports on the functioning of the Service). Google does not use the collected data to identify the User, nor does it combine this information to enable identification. Detailed information on the scope and principles of data collection in connection with this service can be found at the following link: https://www.google.com/intl/pl/policies/privacy/partners
"MARKETING" COOKIES
7.6. The Administrator and its trusted partners also use cookies for marketing purposes, including in connection with targeting behavioral advertising to Users. For this purpose, the Administrator and trusted partners store information or access information already stored in the User's telecommunications terminal device (computer, telephone, tablet, etc.). The use of cookies and personal data collected through them for marketing purposes, in particular in the scope of promoting services and goods of third parties, requires obtaining the User's consent. This consent may be withdrawn at any time. Withdrawal of consent does not affect the lawfulness of processing, which was carried out on the basis of consent before its withdrawal.
§ 8. PERSONAL DATA PROCESSING PERIOD
8.1. The period of data processing by the Administrator depends on the type of service provided and the purpose of processing. As a rule, data is processed for the duration of the service provision or order fulfillment, until:
8.1.1. termination of the contract,
8.1.2. withdrawal of the consent expressed when the legal basis for data processing is the User's consent or
8.1.3. filing an effective objection to data processing in cases where the legal basis for data processing is the legitimate interest of the Administrator.
8.2. The data processing period may be extended each time if processing is necessary to establish and pursue potential claims or defend against them, and after that time only if and to the extent required by law. After the processing period has elapsed, the data is irreversibly deleted or anonymized.
§ 9. USER RIGHTS
9.1. The User has the right to: access the content of the data and request its rectification, deletion, restriction of processing, the right to transfer data and the right to object to the processing of data, as well as the right to lodge a complaint with the supervisory authority responsible for the protection of personal data.
9.2. To the extent that the User's data is processed based on consent, it can be withdrawn at any time by contacting the Administrator or using the functionalities provided on the Website, including the email address: info@christinacosmetics.pl
9.3. The User has the right to object to the processing of data for marketing purposes if the processing takes place in connection with the legitimate interest of the Administrator, and also - for reasons related to the specific situation of the User - in other cases when the legal basis for data processing is the legitimate interest of the Administrator (e.g. in connection with the implementation of analytical and statistical purposes).
9.4 The User has the right to object at any time to the processing of data for the purposes of the satisfaction survey, in particular to object to the sending of e-mails with a request to complete the satisfaction survey, without having to justify such objection.
§ 10. DATA RECIPIENTS
10.1. In connection with the provision of services, personal data will be disclosed to external entities, including in particular suppliers responsible for the operation of IT systems, entities running the Customer Service Center, entities such as banks and payment operators, entities providing accounting services, couriers (in connection with the execution of the order), marketing agencies (in the scope of marketing services) and entities associated with the Controller, including companies from its capital group.
10.2. If the User consents, their data may also be made available to other entities for their own purposes, including marketing purposes.
10.3. The Administrator reserves the right to disclose selected information concerning the User to competent authorities or third parties who submit a request for such information, based on an appropriate legal basis and in accordance with the provisions of applicable law.
§ 11. DATA TRANSFER OUTSIDE THE EEA
11.1. User data will be transferred to third countries (outside the European Union or the European Economic Area) only if it is necessary for the performance of the contractual relationship, is required by law or if the User has given consent. The Administrator ensures that only those persons who need it to fulfill their contractual and legal obligations will receive User data. Necessary data protection agreements have been concluded with all service providers. The Administrator's data protection guidelines ensure compliance with an appropriate level of data protection, primarily through:
11.1.1. cooperation with entities processing personal data in countries for which an appropriate decision of the European Commission has been issued;
11.1.2. use of standard contractual clauses issued by the European Commission;
11.1.3. application of binding corporate rules approved by the relevant supervisory authority;
11.2. The Administrator always informs about the intention to transfer personal data outside the EEA at the stage of their collection.
§ 12. PERSONAL DATA SECURITY
12.1. The Administrator ensures the security of personal data through appropriate technical and organizational measures aimed at preventing unlawful processing of data and their accidental loss, destruction and damage. In addition, the Administrator takes special care to ensure that personal information is:
12.1.1. correct and processed in a lawful manner,
12.1.2. obtained only for specific purposes and not further processed in a manner incompatible with those purposes,
12.1.3. adequate, relevant and not excessive in relation to the purposes of their processing,
12.1.4. accurate and up-to-date,
12.1.5. not stored longer than necessary,
12.1.6. stored safely,
12.1.7. not transferred to a country outside the European Economic Area without appropriate protection.
12.2. In order to better secure the User account, it is recommended to:
12.2.1. using a complex password that protects access to the account and prevents third parties from easily guessing it. Such a password should contain at least 8 characters, upper and lower case letters, numbers and special characters.
12.2.2. keeping the login and password to the Customer's account secret, including in particular not disclosing the data (login, password) to any third parties
12.2.3. logging out of the Service after each completed session (completed purchases, adding messages to the forum, etc.). Simply closing the browser window is not equivalent to logging out of the info@christinacosmetics.pl website. Logging out of the info@christinacosmetics.pl website will occur after clicking the "Log out" button, which is located in the upper right corner of the website.
12.2.4. use of antivirus programs, including regular scanning of disks for viruses
12.2.5. using the Service only through trusted computers, on which only verified software has been installed. The use of other people's computers by the User creates a risk of interception of the login, password or other data that the User provides when using the account.
12.2.6. if the User uses the Service using a third-party computer, e.g. in an internet cafe, they should not save data on the computer and delete the history of pages viewed.
12.3. The Administrator conducts ongoing risk analysis to ensure that personal data is processed by him in a secure manner – ensuring, above all, that only authorized persons have access to the data and only to the extent necessary for the tasks they perform. The Administrator ensures that all operations on personal data are recorded and performed only by authorized employees and associates.
12.4. The Administrator shall take all necessary measures to ensure that its subcontractors and other cooperating entities guarantee the application of appropriate security measures whenever they process personal data on behalf of the Administrator.
§ 13. CONTACT DETAILS
13.1. Contact with the Administrator is possible via e-mail address info@christinacosmetics.pl or correspondence address: TOP COSMETICS EUROPE Spółka z ograniczoną odpowiedzialnością with its registered office in Warsaw, at ul. Marszałkowska 126 /134, 00-008 Warsaw, RP, NIP 5213980858, REGON 52285606200000.
13.2. The Administrator has appointed a Data Protection Officer, who can be contacted via e-mail at info@christinacosmetics.pl in any matter relating to the processing of personal data.
§ 14. CHANGES TO THE PRIVACY POLICY
14.1. The policy is reviewed on an ongoing basis and updated as necessary.