1. DEFINITIONS

1.1. Controller – Elfa Pharm sp. z o.o., Chociw 99, 98-170 Widawa, Poland.

1.2. Personal data – all information about an identified or identifiable natural person through one or more factors specific to that person’s physical, physiological, genetic, mental, economic, cultural or social identity, including IP of a device, location data, web identifier, and information collected through cookies and other similar technology.

1.3. Policy – this Privacy Policy.

1.4. GDPR – General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.

1.5. Website – a website maintained by the Controller at www.elfapharm.pl.

1.6. User – any natural person visiting the Website or using one or more of the Websites or functionalities described in the Policy.

2. DATA PROCESSING IN CONNECTION WITH THE USE OF THE WEBSITE

2.1. In connection with the use of the Website by the User, the Controller collects data to the extent necessary to provide particular services offered, as well as information about the User’s activity on the Website. Below are described detailed rules and objectives of the processing of personal data collected during the use of the Website by the User.

3. PURPOSES AND LEGAL GROUNDS FOR DATA PROCESSING IN THE WEBSITE

USING THE WWW.ELFAPHARM.PL WEBSITE

3.1. Personal data of all persons using the Website (including IP address or other identifiers and information collected through cookies or other similar technologies), and not being registered Users (i.e. persons without a profile in the Website) are processed by the Controller:

3.1.1. in order to provide services by electronic means consisting in making available content uploaded to the Website to Users, product reservations within the framework of product reservation service on the Website, making available offers of other sellers within the framework of the Marketplace service, making available contact forms – then the legal basis for processing is the necessity of processing in order to perform a contract (Article 6(1)(b) of GDPR);

3.1.2. in order to handle purchases made without registration in the Website – then the legal basis for processing is the necessity of processing to perform a contract (Article 6 paragraph 1 letter b of GDPR);

3.1.3. in order to handle complaints, then the legal basis for processing is the necessity of processing in order to perform the contract (Article 6(1)(b) of the GDPR);

3.1.4. for analytical and statistical purposes – then the legal basis for processing is the Controller’s justified interest (Article 6(1)(f) of the GDPR) consisting in conducting analyses of Users’ activity, as well as their preferences in order to improve the applied functionalities and provided services;

3.1.5. in order to establish and pursue possible claims or defend against them – then the legal basis for the processing is the Controller’s legitimate interest (Article 6(1)(f) of the GDPR) in the protection of his rights;

3.1.6. for marketing purposes of the Controller and other entities, in particular those related to the presentation of behavioral advertising – the principles of personal data processing for marketing purposes are described in the “MARKETING” section.

User activity on the Website, including his/her personal data, is recorded in system logs (a special computer program used to store chronological records containing information about events and activities concerning the IT system used to provide services by the Controller). Information collected in logs and processed in connection with the provision of services. The Controller shall also process them for technical purposes and, in particular, data may be temporarily stored and processed for the purposes of ensuring the security and proper functioning of the information systems, e.g. in connection with back-up operations, tests of changes in IT systems, detection of irregularities or protection against fraud and attacks.

REGISTRATION AT WWW.ELFAPHARM.PL

3.2. Persons who register in the Website are asked to provide the data necessary to create and maintain an account. In order to facilitate handling, the User may provide additional data, thereby consenting to the processing of such data. Such data can be deleted at any time. Providing data marked as mandatory is required in order to create and maintain an account, and failure to provide such data shall result in the inability to create an account. Providing other data is voluntary.

3.3. Personal data are processed:

3.3.1. in order to provide services related to maintaining and using an account in the Website – the legal basis for processing is the necessity of processing to perform the contract (Article 6(1)(b) GDPR), and, for data provided optionally – the legal basis for processing is a consent (Article 6(1)(a) GDPR);

3.3.2. for analytical and statistical purposes – the legal basis for processing is the Controller’s justified interest (Article 6(1)(f) GDPR) consisting in conducting analyses of Users’ activity on the Website and the manner of using the account, as well as their preferences in order to improve the applied functionalities;

3.3.3. in order to establish and pursue possible claims or defend against them – then the legal basis for the processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR) in the protection of his rights;

3.3.4. for marketing purposes of the Controller and other entities, in particular sellers, using the Marketplace service – the rules of personal data processing for marketing purposes are described in the “MARKETING” section.

3.4. If the User places in the Website any personal data of other persons (including their name, surname, address, telephone number or e-mail address), they may do so only on condition that the provisions of applicable law and personal rights of these persons are not violated.

PLACING ORDERS

3.5. Placing an order (purchase of goods or services) by a Website User entails processing of his personal data. Providing data marked as mandatory is required in order to accept and handle the order, and failure to provide such data shall result in the lack of its processing. The provision of other data is optional. Placing an order by a User within the Marketplace service results in the User’s personal data necessary to complete the order being made available to the seller in order to perform the agreement.

3.6. Personal data are processed:

3.6.1. in order to process the submitted order – the legal basis for processing is the necessity of processing to perform the contract (Article 6(1)(b) GDPR), and, for data provided optionally – the legal basis for processing is a consent (Article 6(1)(a) GDPR);

3.6.2. in order to fulfill the statutory obligations of the Controller, resulting in particular from tax regulations and accounting regulations – the legal basis for the processing is a legal obligation (Article 6(1)(c) GDPR);

3.6.3. for analytical and statistical purposes – the legal basis for processing is the Controller’s justified interest (Article 6(1)(f) GDPR) consisting in conducting analyses of Users’ activity on the Website and their purchase preferences in order to improve the applied functionalities;

3.6.4. in order to establish and pursue possible claims or defend against them – then the legal basis for the processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR) in the protection of his rights;

CONTACT FORMS

3.7. The Controller provides the possibility to contact it using electronic contact forms. Using the form requires providing personal data necessary to contact the User and answer the inquiry. The User may also provide other information to facilitate contact or inquiries. Providing data marked as mandatory is required in order to accept and handle the inquiry, and failure to provide such data shall result in impossibility of providing a response. Providing other data is voluntary.

3.8. Personal data are processed:

3.8.1. in order to identify the sender and handle his inquiry sent by the provided form – the legal basis for processing is the necessity of processing for the performance of the service agreement (Article 6(1)(b) GDPR);

3.8.2. for analytical and statistical purposes – the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR) consisting in maintaining statistics of queries submitted by Users via the Website in order to improve its functionality.

4. MARKETING

4.1. The Controller processes Users’ personal data in order to carry out marketing activities, which may consist in:

4.1.1. displaying to the User marketing content which is not adjusted to the User’s preferences (contextual advertising);

4.1.2. displaying the User’s marketing content corresponding to his or her interests (behavioural advertising);

4.1.3. directing e-mail notifications of interesting offers or content that in some cases contain commercial information;

4.1.4. other direct marketing of goods and services (electronic commercial communication and telemarketing).

4.2. In order to carry out marketing activities, the Controller in some cases uses profiling. This means that thanks to automatic data processing, the Controller evaluates selected factors concerning individuals in order to analyze their behavior or to create a forecast for the future.

CONTEXTUAL ADVERTISING

4.3. The Controller processes Users’ personal data for marketing purposes in connection with directing contextual advertising (i.e. advertising that does not match the User’s preferences) to Users. The processing of personal data takes place in connection with the fulfilment of the legitimate interest of the Controller (Article 6(1)(f) GDPR).

BEHAVIOURAL ADVERTISING

4.4. The Controller processes Users’ personal data, including personal data collected through cookies and other similar technologies, for marketing purposes in connection with directing behavioural advertising (i.e. advertising that is tailored to the User’s preferences) to Users. The processing of personal data includes the profiling of users. The use of personal data collected through this technology for marketing purposes, in particular to promote the services and goods of third parties, is based on the legitimate interest of the Controller and only on the condition that the User has consented to the use of cookies. Consent to the use of cookies can be expressed through the appropriate configuration of the browser, and can also be revoked at any time, in particular by clearing the cookie history and disabling cookies in the browser settings.

4.5. This consent may be withdrawn at any time.

DIRECT MARKETING

4.6. If the User has consented to receive marketing information via e-mail, SMS and other electronic means of communication, the User’s personal data shall be processed for the purpose of sending such information. The basis for data processing is a legitimate interest of Elfa Pharm sp. z o.o., consisting in sending marketing information within the limits of the consent granted by the User (direct marketing). The user has the right to object to the processing of data for the purposes of direct marketing, including profiling. The data will be stored for this purpose for a period of time for which there is a legitimate interest of Elfa Pharm sp. z o.o., unless the User objects to receiving marketing information.

5. SOCIAL NETWORKS

5.1. The Controller processes personal data of Users visiting Controller’s profiles in social media (Facebook, YouTube, Instagram, Twitter, Google +, Pinterest). These data are processed exclusively in connection with profile management, including for the purpose of informing Users about Controller’s activity and promoting various types of events, services and products, as well as for the purpose of communication with users through the functionalities available in social media. The legal basis for the processing of personal data by the Controller for this purpose is its legitimate interest (Article 6(1)(f) GDPR) in promoting its own brand and building and maintaining a brand community.

6. MOBILE APPLICATIONS

6.1. The Controller processes Users’ personal data also in order to enable the use of services offered within the Website, as well as additional services via mobile applications. User data is processed for the purpose of registration and use of mobile applications. The legal basis for data processing in this respect is the necessity for the performance of the contract (Article 6(1)(b) GDPR).

6.2. By means of mobile applications, the User may in particular: browse the assortment of the Website, gain access to his account on the Website, place orders and make payments for them, get acquainted with information available in the mobile application and use other functionalities available in the mobile application. The Controller informs that due to technical limitations, the mobile application does not provide the possibility to use all the functionalities of the Website, which are available through the Website.

7. COOKIES AND SIMILAR TECHNOLOGY

7.1. Cookies are small text files installed on the device of a User browsing the Website. Cookies collect information facilitating the use of the website – e.g. by memorizing the User’s visits to the Website and the activities performed by the User.

SERVICE COOKIES

7.2. The Controller uses the so-called service cookies primarily in order to provide the User with services provided electronically and to improve the quality of these services. Therefore, the Controller and other entities providing analytical and statistical services to the Controller use cookies to store information or gain access to information already stored in the User’s telecommunications terminal device (computer, telephone, tablet, etc.). Cookies used for this purpose include:

7.2.1. cookies with data entered by the User (session ID) for the duration of the session (userinputcookies);

7.2.2. authentication cookies used for services requiring authentication for the duration of the session (authenticationcookies);

7.2.3. security cookies, e.g. used to detect authentication breaches (usercentricsecuritycookies);

7.2.4. session cookies of media players (e.g. flash player cookies), for the duration of the session (multimedia playersessioncookies);

7.2.5. permanent cookies used to personalize the User interface for the duration of the session or slightly longer (userinterfacecustomizationcookies),

7.2.6. cookies used to memorize the contents of the shopping cart for the duration of the session (shopping cartcookies);

7.2.7. cookies used to monitor traffic on the website, i.e. data analytics, including Google Analytics cookies (these are files used by Google to analyze the use of the Website by the User, to create statistics and reports on the functioning of the Website). Google will not use the information collected to identify you or to link this information to any other personally identifiable information. Detailed information about the scope and principles of data collection in connection with this service can be found at: https://www.google.com/intl/pl/policies/privacy/partners.

MARKETING COOKIES

7.3. The Controller also uses cookies for marketing purposes, e.g. in connection with directing behavioural advertising to Users. For this purpose, the Controller shall store information or access information already stored in the User’s telecommunications terminal equipment (computer, telephone, tablet, etc.). The use of cookies and personal data collected through them for marketing purposes, in particular to promote the services and goods of third parties, shall require the User’s consent. This consent may be expressed through the appropriate configuration of the browser, and can also be revoked at any time, in particular by clearing the cookie history and disabling cookies in the browser settings.

PERSONAL DATA PROCESSING PERIOD

8.1. The period of data processing by the Controller depends on the type of service provided and the purpose of processing. As a rule, data shall be processed during the provision of a service or order execution, until the withdrawal of the consent given or effective objection to the data processing in cases where the legal basis for data processing is a legitimate interest of the Controller.

8.2. The period of processing may be extended where processing is necessary for the establishment and enforcement of, or defence against, possible claims, and thereafter only if and to the extent required by law. Once the processing period has expired, the data shall be irretrievably deleted or rendered anonymous.

9. USER PRIVILEGES

9.1. Data subjects have the following rights:

9.1.1. Right to information on personal data processing – on this basis the Controller shall provide the person making such a request with information on personal data processing, including in particular the purposes and legal grounds for processing, the scope of data held, entities to which personal data are disclosed and the planned date of their deletion;

9.1.2. Right to obtain a copy of data – on this basis the Controller transfers a copy of the processed data concerning the person making the request;
9.1.3. Right to rectify data – on this basis, the Controller removes any possible inconsistencies or errors concerning the personal data being processed, and completes or updates them if they are incomplete or have changed;

9.1.4. Right to delete data – on this basis, the User may request the deletion of data whose processing is no longer necessary for the fulfilment of any of the purposes for which they were collected;

9.1.5. Right to restrict processing – on this basis, the Controller ceases to perform operations on personal data, with the exception of operations to which the data subject has consented and their storage, in accordance with the accepted principles of retention, or until the reasons for limiting the processing of data cease to exist (e.g. a decision of the supervisory authority is issued allowing further processing of data);

9.1.6. Right to transfer data – on this basis, to the extent that the data are processed in connection with the concluded agreement or consent, the Controller shall issue the data provided by the data subject in a format that allows their reading by a computer. It is also possible to request that such data be sent to another entity – however, provided that there are technical possibilities in this respect on the part of both the Controller and the other entity;

9.1.7. Right to object to the processing of data for marketing purposes – the data subject may object at any time to the processing of personal data for marketing purposes, without the need to justify such objection;

9.1.8. Right to object to other purposes of processing – the data subject may object at any time to the processing of personal data on grounds of legitimate interest of the Controller (e.g. for analytical or statistical purposes or for reasons related to the protection of property). The objection in this respect should contain a justification and is subject to the Controller’s assessment;

9.1.9. Right to withdraw consent – if data are processed on the basis of consent, the data subject has the right to withdraw it at any time, but this does not affect the lawfulness of the processing carried out before the withdrawal of consent;

9.1.10 Right to complain – in case of recognition that the processing of personal data violates the provisions of the GDPR or other regulations concerning the protection of personal data, the data subject may lodge a complaint with the President of the Office for the Protection of Personal Data.

9.2. A request for the exercise of data subjects’ rights can be filed:

9.2.1. in writing to the address: Elfa Pharm sp. z o.o., Chociw 99, 98-170 Widawa, Polska.

9.2.2. by e-mail to the address: kontakt@elfapharm.pl.

9.3. The application should, as far as possible, indicate precisely what is requested, i.e. in particular:

9.3.1. the right the applicant wishes to exercise (e.g. the right to obtain a copy of the data, the right to erase data, etc.);

9.3.2. which processing the request concerns (e.g. use of a specific service, activity on a specific website, receiving a newsletter containing commercial information to a specific e-mail address, etc.);

9.3.3. which processing purposes the request concerns (e.g. marketing purposes, analytical purposes, etc.).

9.4. If the Controller is unable to determine the content of the request or identify the person submitting the request based on the submitted application, it shall request additional information from the applicant.

9.5. You will receive a reply to your application within one month of receiving it. If it is necessary to extend this deadline, the Controller will inform the applicant of the reasons for such an extension.

9.6. The answer will be given to the e-mail address from which the application was sent, and in the case of applications sent by post, by ordinary mail to the address indicated by the applicant, provided that the letter does not indicate a desire to receive the response to an e-mail address (in this case, please provide the e-mail address).

10. RECIPIENTS OF DATA

10.1. In connection with the performance of services, personal data will be disclosed to external entities, including in particular vendors responsible for the operation of IT systems, entities such as banks and payment operators, entities providing accounting, legal, audit, consulting services, couriers (in connection with the performance of the order), marketing agencies (with regard to marketing services) and entities related to the Controller, including companies from its capital group and business partners. If you purchase from an entity other than the Controller on the Marketplace platform, your data will be disclosed to the seller for the purpose of concluding and executing a sales contract;

10.2. In case of obtaining the User’s consent, his data may also be made available to other entities for their own purposes, including marketing purposes.

10.3. The Controller reserves the right to disclose selected information concerning the User to competent authorities or third parties, who submit a request for such information, based on the appropriate legal basis and in accordance with the provisions of applicable law.

11. TRANSFERS OF DATA OUTSIDE THE EEA

11.1. The level of protection of personal data outside the European Economic Area (EEA) differs from that provided by European law. For this reason, the Controller transfers personal data outside the EEA only when necessary and with an adequate level of protection, in particular through:

11.1.1. cooperation with entities processing personal data in countries for which the relevant decision of the European Commission has been issued;

11.1.2. use of standard contractual clauses issued by the European Commission;

11.1.3. applying binding corporate rules approved by the relevant supervisory authority;

11.1.4. in the case of data transfers to the USA – cooperation with entities participating in the Privacy Shield programme approved by the European Commission.

11.2. The Controller shall always indicate the intention to transfer personal data outside the EEA at the stage of their collection.

12. PERSONAL DATA SECURITY

12.1. The Controller conducts risk analysis on an ongoing basis in order to ensure that personal data are processed by it in a safe manner – ensuring first of all that only authorised persons have access to the data and only to the extent it is necessary due to the tasks performed by them. The Controller ensures that all operations on personal data are registered and performed only by authorized employees and co-workers.

12.2. The Controller shall take all necessary measures to ensure that its subcontractors and other cooperating entities guarantee the application of appropriate security measures whenever they process personal data on behalf of the Controller.

13. CONTACT DETAILS

13.1. Contact with the Controller is possible via e-mail or postal address Elfa Pharm sp. z o.o., Chociw 99, 98-170 Widawa, Poland.

14. CHANGES TO PRIVACY POLICY

14.1. The policy is constantly reviewed and, if necessary, updated.