GDPR information obligation

The following information is a concise, understandable, and transparent summary of the information contained in the Privacy Policy regarding the Data Controller, the purpose and method of personal data processing, and your rights in relation to such processing, in the form required to comply with the GDPR’s information obligation. Details on the manner of processing and the entities involved in this process are available in the indicated policy.

Who is the data controller?

The Personal Data Administrator (hereinafter referred to as the Administrator) is the company “Elgra W.E. Kubik sp.j.,” operating at the following address: ul. Kępska 21, 45-129 Opole, with tax identification number (TIN): 7540272177, providing services electronically via the Website.

How can I contact the data controller?

You can contact the Administrator in one of the following ways

• Postal address – Elgra W.E. Kubik sp.j.,, ul. Kępska 21, 45-129 Opole
• E-mail address – sklep@elgra.info.pl
• Telephone call – +48 77 456 83 74
• Contact form – available under the address: http://super-stars.pl/kontakt-en

Has the Administrator appointed a Personal Data Inspector?

Pursuant to Article 37 of the GDPR, the Controller has not appointed a Data Protection Officer.

In matters relating to data processing, including personal data, please contact the Controller directly.

Where do we obtain personal data and what are its sources?

Data is obtained from the following sources:

• from data subjects
  in the case of registration using social media, with the informed consent of those individuals, from those social media sites

What is the scope of personal data we process?

The website processes ordinary personal data provided voluntarily by the data subjects
(e.g., name and surname, login, email address, telephone number, IP address, etc.).

The detailed scope of the data processed is available in the Privacy Policy.

What are the purposes of our data processing?

Personal data voluntarily provided by Users is processed for one of the following purposes:

• Provision of electronic services:

1. Services related to the registration and maintenance of a User account on the Website and related functionalities
   Newsletter services (including sending advertising content with consent)
2. Services for commenting on/liking posts on the Website without the need to register

• Communication between the Administrator and Users in matters related to the Website and data protection
• Ensuring the legitimate interests of the Administrator

What is the legal basis for data processing?

The website collects and processes User data on the basis of:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
  • Article 6(1)(a)
    the data subject has given consent to the processing of his or her personal data for one or more specific purposes
  • Article 6(1)(b)
    processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
  • Article 6(1)(f)
    processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party
• Act of May 10, 2018 on the protection of personal data (Journal of Laws 2018, item 1000)
• Act of July 16, 2004 Telecommunications Law (Journal of Laws 2004 No. 171 item 1800)
• Act of February 4, 1994 on copyright and related rights (Journal of Laws 1994 No. 24 item 83)

What is the legitimate interest pursued by the Administrator?

For the purpose of possible determination, investigation, or defense against claims – the legal basis for processing is our legitimate interest (Article 6(1)(f) of the GDPR) consisting in the protection of our rights, including, among others;

• To assess the risk of potential customers
• To evaluate planned marketing campaigns
• To carry out direct marketing

How long do we process personal data?

As a rule, the personal data indicated is stored only for the duration of the service provided by the Administrator. It is deleted or anonymized within 30 days of the end of the service (e.g., deletion of a registered user account, unsubscribing from the newsletter, etc.).

In exceptional situations, in order to protect the legitimate interests pursued by the Administrator, this period may be extended. In such a situation, the Administrator will store the indicated data from the time of the User’s request for its deletion for no longer than 3 years in the event of a violation or suspected violation of the website’s terms and conditions by the data subject.

Who is the recipient of the data, including personal data?

As a rule, the Administrator is the sole recipient of the data.

However, data processing may be entrusted to other entities providing services to the Administrator for the purpose of maintaining the Website’s operation.

Such entities include, among others:

• Hosting companies providing hosting or related services to the Administrator.
• Companies through which the Newsletter service is provided.
• IT service and support companies performing maintenance or responsible for maintaining IT infrastructure.
• Companies intermediating in online payments for goods or services offered on the Website. (in the case of purchases made on the Website)
• Companies responsible for delivering physical products to the User (postal/courier services in the case of purchases made on the Website)

Will your personal data be transferred outside the European Union?

Personal data will not be transferred outside the European Union unless it has been published as a result of individual action by the User (e.g., posting a comment or entry), which will make the data available to anyone visiting the website.

Will personal data be used as a basis for automated decision-making?

Personal data will not be used for automated decision-making (profiling).

What are your rights regarding the processing of personal data?

• Right of access to personal data
  Users have the right to access their personal data, which is exercised upon request submitted to the Administrator.
• Right to rectify personal data
  Users have the right to request the Administrator to immediately rectify personal data that is incorrect and/or to supplement incomplete personal data, upon request submitted to the Administrator.
• Right to erasure of personal data
  Users have the right to request the Administrator to immediately erase personal data, which is exercised upon request submitted to the Administrator.

In the case of user accounts, the erasure of data consists in anonymizing data that enables the identification of the User.

In the case of the Newsletter service, the User has the option of deleting their personal data themselves using the link provided in each email message sent.

• Right to restrict the processing of personal data
  Users have the right to restrict the processing of personal data in the cases specified in Article 18 of the GDPR, including questioning the accuracy of personal data, upon request submitted to the Administrator.
• Right to transfer personal data
  Users have the right to obtain from the Administrator personal data concerning the User in a structured, commonly used, machine-readable format, upon request submitted to the Administrator
• Right to object to the processing of personal data
  Users have the right to object to the processing of their personal data in the cases specified in Article 21 of the GDPR, upon request submitted to the Administrator
• Right to lodge a complaint
  Users have the right to lodge a complaint with the supervisory authority responsible for personal data protection.