The Personal Data Controller on the website at: www.coollycoolly.com, hereinafter referred to as the “Store” is “Fundusz DAF Finance spółka akcyjna” sp. j. with their registered office in Wrocław (53-329), pl. Powstańców Śląskich 1/114, NIP: 8971791936, KRS 0000489410, hereinafter referred to as the “Controller”.
Respecting the rights of personal data subjects and respecting applicable law, including in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals in connection with the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (general data protection regulation), hereinafter referred to as the “GDPR”, the Act of May 10, 2018 on the protection of personal data (Journal of Laws 2018, item 1000, hereinafter referred to as the “Act”) and other relevant provisions on the protection of personal data, we undertake to maintain the safety and confidentiality of the personal data obtained. All employees have been properly trained in the processing of personal data, and as the Personal Data Controller, we have implemented appropriate safeguards as well as technical and organizational measures to ensure the highest level of personal data protection, thus ensuring compliance with the law and reliability of data processing processes, as well as the enforceability of all rights of data subjects.
The following personal data may be collected by our Store: name and surname; e-mail address; IP address; telephone numbers; address; NIP (Tax Identification Number); bank account number; payment card details
Data listed in item 3 is provided in order to enable the use of the Store’s offer, including the conclusion of contracts for the sale of goods. In accordance with the principle of minimization, we process only the categories of personal data that are necessary to achieve the purposes referred to in this item.
The Controller processes personal data for the period necessary to achieve the goals listed in item 4 above, taking into account the legitimate interest of the Controller, referred to in item 7(b). Personal data may be processed for a period longer than indicated in the preceding sentence, if such a right or obligation imposed on the Controller results from specific legal provisions or from the legitimate interest of the Controller, referred to in item 7(c) below (i.e. for the period of limitation of claims or completion of relevant proceedings, if they were initiated during the period of limitation).
The source of the data processed by the Controller are the users of the Store, i.e. data subjects, being buyers of the Product.
The legal basis for the processing of users’ personal data is: sec. 1(b) of the GDPR, i.e. necessity related to enabling the use of the Store’s offer, including concluding contracts for the sale of goods, or
sec. 1(c) of the GDPR, i.e. necessity to fulfil the legal obligations incumbent on the Controller, or
sec. 1(f) of the GDPR, i.e. the Controller’s legitimate interest in establishing, investigating or defending claims until their expiry or until the completion of the relevant proceedings, if they were initiated within this period, or
sec. 1(a) of the GDPR, i.e. the user’s consent to the processing of personal data for specific purposes, when other legal grounds for the processing of personal data do not apply.
Users’ personal data is not transferred to a third country or an international organization within the meaning of the provisions of the GDPR. In the event that users’ personal data is transferred to a third country or an international organization, users will be informed in advance, and the Controller will apply the safeguards referred to in Chapter V of the GDPR.
Personal data may be entrusted for processing to entities processing such data on our behalf as Personal Data Controllers. In such a situation, as the Personal Data Controller, we conclude a data processing entrustment agreement with the processor. The processor processes the entrusted personal data only for the needs, to the extent and for the purposes indicated in the entrustment agreement.
In some cases, personal data may be profiled. Thanks to automatic data processing, the Controller evaluates selected factors relating to natural persons in order to send them content corresponding to their preferences.
In accordance with the provisions of the GDPR, each person whose personal data we process as the Personal Data Controller has the right to:
be informed about the processing of personal data, as referred to in art. 12 of the GDPR,
access their personal data, as referred to in art. 15 of the GDPR,
correct, supplement, update, and rectify personal data, as referred to in art. 16 of the GDPR,
delete their data (the right to be forgotten), as referred to in art. 17 of the GDPR,
limit processing of their data, as referred to in art. 18 of the GDPR,
transfer their data, as referred to in art. 20 of the GDPR,
object to the processing of personal data, as referred to in art. 21 of the GDPR,
in the case of the legal basis referred to in item 10 (d) above – the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal,
not to be subject to profiling, as referred to in art. 22 in connection with art. 4 item 4 of the GDPR,
lodge a complaint to the supervisory body (i.e. to the President of the Personal Data Protection Office), as referred to in art. 77 GDPR,
In order to exercise the rights referred to in the preceding item, as well as to submit an inquiry, request or complaint regarding the processing of personal data, please send a message via e-mail to the following e-mail address: email@example.com or in writing to the correspondence address of the Controller: ul. Powstańców Śląskich 1/114, 53-329 Wrocław.
The content of the notification should clearly include:
data of the person or persons concerned by the notification,
the event being the cause of the notification,
your requests and the legal basis for those requests,
the expected way of settling the matter.
Each identified breach of safety is documented, and in the event of one of the situations specified in the provisions of the GDPR or the Act, data subjects are informed about such a breach of the provisions on the protection of personal data.