This Privacy Policy has been drafted based on Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regards to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as “GDPR”).

§ 1 DATA CONTROLLER

1.       The Controller of your personal data is balticos with its registered office in Harju maakond, Tallinn, Kesklinna linnaosa, Tina tn 18-8, 10126 . You may contact the Controller by sending mail

§ 2 DATA PROTECTION OFFICER

1.       1. The Controller has appointed a Data Protection Officer. This Officer is a competent authority in matters related to the processing of personal data. You may contact the Data Protection Officer from Monday to Friday, 9 AM – 5 PM, by sending an e-mail.

§ 3 TYPES OF, PURPOSES OF, AND LEGAL BASIS FOR THE PROCESSING OF PERSONAL DATA. STORAGE PERIODS

1.       This Privacy Policy determines the rules for processing the personal data obtained from the Customers of the online wholesale shop at www.balticos.pl(hereinafter referred to as the “Online Shop”)
 

2.       The personal data of the Customer are collected and processed for the purposes of:

o    registering an account in the Online Shop (legal basis: processing is necessary for the performance of a contract for the provision of an account – Article 6(1)(b) of the GDPR);

o    making an order in the Online Shop (legal basis: processing is necessary for the performance of a sales contract – Article 6(1)(b) of the GDPR);

o    signing up for a newsletter (legal basis: processing is necessary for the performance of a contract for the provision of a newsletter – Article 6(1)(b) of the GDPR);

o    pursuing legitimate interests of the Controller (legal basis – Article 6(1)(f) of the GDPR); this includes:

§  establishing, seeking and enforcing claims, as well as defending themselves against any claims,

§  producing summaries, analyses and statistics for the Controller’s internal purposes, which, in particular, includes reporting and research activities, as well as development planning for our products,

§  ensuring the security of networks and information,

§  using direct marketing;

o    complying with legal obligations to which the Controller is subject (legal basis – Article 6(1)(c) of the GDPR); this includes:

§  obligations arising from warranties for defects,

§  obligations with respect to issuing and storing invoices and documents required by tax law and provisions on accounting,

§  storage of data in order to prove that accountability obligations and other obligations arising from the provisions concerning personal data protection are fulfilled.
 

3.       Registering an account in the Online Shop requires providing the following:

o    an e-mail address,

o    the name and the surname of the Costumer and his contact details,

o    a telephone number.
 

4.       Making an order in the Online Shop requires providing the following:

o    an e-mail address,

o    the name and the surname of the Costumer and his contact details,

o    the Tax ID No. (NIP) (if invoice is requested),

o    a telephone number.
 

5.       Using the newsletter requires providing the following:

o    an e-mail address.

6.       The personal data of the Customer are stored for the following periods, depending on the legal basis of the processing:

Legal basisStorage period
   Consent (Article 6(1)(a) of the GDPR)until such consent is withdrawn,after such consent is withdrawn, until the expiry of claims with respect to actions taken by the Controller under such consent and until the cessation of the Controller’s liability arising from their accountability obligations and other obligations arising from the provisions concerning personal data protection, for the purposes of establishing, seeking and enforcing claims, as well as defending themselves against any claims; producing summaries, analyses and statistics for the Controller’s internal purposes, and ensuring the security of networks and information
   Performance of a contract (Article 6(1)(b) of the GDPR)for the time required to perform the contract,after this time, throughout the limitation period of claims
   Pursuit of legitimate interests (Article 6(1)(f) of the GDPR:)
establishing, seeking and enforcing claims, as well as defending themselves against the claims,until the expiry of claims arising from the contract or from contract-related actions of the Controller (a maximum of 10 years from the performance of the contract or issuing a final        court decision)
producing summaries, analyses and statistics for the Controller’s internal purposes, which, in particular, includes reporting and research activities, as well as development planning for our products,until the performance of the contract, and following this, until the expiry of claims arising from the contract or from contract-related actions of the Controller
ensuring the security of networks and informationfor the whole storage period
direct marketingthroughout the validity period of the contract
   Complying with legal obligations (Article 6(1)(c) of the GDPR:)
obligations arising from warranties against defectsuntil the liability arising from the warranties expires
obligations with respect to issuing and storing invoices and documents required by tax law and provisions on accountinguntil invoices and other documents are issued, and following this, throughout the storage period specified by tax and accounting laws
storage of data in order to prove that accountability obligations and other obligations arising from the provisions concerning personal data protection are fulfilleduntil the liability arising from these obligations expires

 8.       Providing personal data to Balticos is voluntary, but necessary for concluding and performing a contract (e.g. implementing an order made in the Online Shop or registering the Customer’s account) or sending a newsletter.

§ 4 TRANSFER OF PERSONAL DATA

1.       Customer’s personal data may be transferred to the following persons and entities:

o    employees and co-workers of the Controller, for whom access to the Customer’s personal data is necessary in performing their obligations or the Controller’s activities for the benefit of the Customer,

o    entities handling the Controller’s ICT systems or providing the Controller with ICT devices, including IT platforms, server space or web hosting space,

o    providers of advisory, consultancy or audit services, as well as entities providing legal, tax and accounting assistance,

o    providers of mail or courier services,

o    providers of electronic payment services, such as Dotpay or PayPal.
 

2.       Upon relevant request, the Controller may have to make the personal data available to the state authorities, and especially to the units of the Prosecutor’s Office, the Police, to the President of the Office for Personal Data Protection, the President of the Office of Competition and Consumer Protection or the President of the Office of Electronic Communications.

§ 5 COOKIES

1.       The Controller uses small text files that are saved on the terminal equipment of the person visiting the Online Shop (hereinafter referred to as the “User”.) Based on these files, so-called cookies, the Controller collects information that allows them to identify the User’s terminal equipment, its IP address and their browser.
 

2.       Cookies are safe for the User’s devices. Cookies cannot carry viruses, malicious or undesired software onto the User’s devices.

3.       The Users may adapt the settings of their browsers with regards to cookies, so that their automatic installation is switched off, their use is disabled, or so that they are removed from the terminal equipment. Below, the Users can find a list of instructions on how to change cookie settings in the most popular web browsers:

o    Internet Explorer,

o    Microsoft EDGE,

o    Mozilla Firefox,

o    Chrome,

o    Safari.
 

4.       The Controller uses two types of cookies:

o    session cookies – cookies that are removed from the device’s memory after the browser session is ended or after the device is switched off,

o    persistent cookies – cookies that are stored in the memory of the User’s terminal equipment until they expire or are deleted.

Neither session or persistent cookies allow any personal or confidential data to be obtained from the User’s devices.
 

5.       The Controller uses their own cookies especially for the purposes of authenticating the Users in the Online Shop and maintaining their sessions after they log in, so that they do not have to log in on every subpage of the Online Shop.

6.       The Controller uses external cookies for such purposes as:

o    collecting general and anonymous statistical data using Google Analytics,

o    promoting the Online Shop through Facebook,

o    providing the live chat service to the Users.

§ 6 RIGHTS OF DATA SUBJECTS

1.       The Customers of the Online Shop have the following rights:

o    the right to access their personal data, the right to be informed of their personal data, the right to obtain a copy of their personal data,

o    the right to rectify their personal data if they are inaccurate, and the right to have incomplete personal data completed,

o    the right to have their personal data erased (the so-called right to be forgotten),

o    the right to restrict the processing of their personal data,

o    the right to move their personal data,

o    the right to lodge a complaint with the authority dealing with personal data protection (the President of the Office for Personal Data Protection), should they become aware of unlawful processing of their personal data,

o    the right to withdraw their consent without providing any reason, and without prejudice to the processing that had been undertaken under such consent before it was withdrawn,

o    the right to object to:

§  the Controller’s processing for the purposes of marketing,

§  the Controller’s processing for the purposes of pursuing their legitimate interests – in cases motivated by a special situation of the Customer.

​​​​
​​​​​If the Customer’s objection is reasonable, and the Controller has no other legal basis for the processing of the Customer’s personal data, such data will be removed with respect to the type of processing to which the customer objected.

2.       Each of the above rights and each situation in which they can be exercised as specified in applicable laws, and in particular, the GDPR.
 

3.       Should the Customer address the Controller with a demand to exercise one of the above rights, the Controller will immediately comply with the Customer’s request or refuse to comply with it, within no more than a month from receiving the request. If, however, the Controller is not able to comply with the Customer’s request within a month due to the complex nature of the Customer’s demands, they may do so within the next two months. The Controller must inform the Customer within one month of receiving the request that they intend to take more time to handle it, and must provide the reasons for this.

4.       The Customer may also exercise their rights by contacting the Personal Data Officer via e-mail.

§ 7 PERSONAL DATA SAFETY

1.       The Controller implements adequate technical and organisational measures aiming at protecting the personal data of the Customers against loss, misuse or modification. Access to the Customers’ personal data is restricted, so that no unauthorised persons come into their possession.

§ 8 CHANGES TO THE PRIVACY POLICY

1.       The Controller may introduce changes to this Privacy Policy.
 

2.       An up-to-date version of the Privacy Policy can be found on this subpage, together with a link to its previous version.