The purpose of this Privacy Policy (personal data protection policy), hereinafter the “Policy”, is to implement and continuously ensure, at HEYTOYS PROSTA SPÓŁKA AKCYJNA (HEYTOYS PSA), the level of personal data protection required by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”) in connection with the processing of personal data.
This Policy applies to personal data processed both in traditional form in books, files, registers and other record sets, and in IT systems.
1. Data Controller
The controller of the personal data of Buyers placing orders for Products offered by the Seller is HEYTOYS PROSTA SPÓŁKA AKCYJNA with its registered office in Wrocław (registered office and service address: ul. Sokalska 2, 54-614 Wrocław), entered in the Register of Entrepreneurs of the National Court Register under number KRS 0000994349 kept by the District Court for Wrocław–Fabryczna in Wrocław, 6th Commercial Division of the National Court Register; share capital: PLN 5,000; NIP (VAT ID): 8943195820, REGON: 523247336; e-mail: biuro@heytoys.pl; phone: +48 533 957 287.
The Seller obtains the personal data of Buyers from Buyers who place orders for Products. The Buyer’s personal data is processed in accordance with the GDPR.
2. Principles of Personal Data Processing
The Seller processes personal data:
• lawfully, fairly and in a transparent manner to the data subject (“lawfulness, fairness and transparency”);
• for specified, explicit and legitimate purposes and does not further process it in a manner incompatible with those purposes (“purpose limitation”);
• adequately, relevantly and limited to what is necessary in relation to the purposes for which it is processed (“data minimisation”);
• accurately and, where necessary, kept up to date (“accuracy”);
• in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data is processed (“storage limitation”);
• in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).
To implement the principles specified above, the Seller processes personal data on the bases and within the limits set out in Article 6 of the GDPR. With respect to the persons whose personal data is processed, the Seller fulfils the information obligations under Article 13 or Article 14 of the GDPR and indicates their applicable rights.
The Seller ensures data protection when using the services of external entities by concluding appropriate data processing agreements and by using processors that comply with obligations arising from the GDPR.
3. Purposes of Processing Personal Data
Personal data of Buyers may be processed for the following purposes:
• fulfilling orders / carrying out the transaction of purchasing a Product from the Seller’s offer – pursuant to Article 6(1)(b) GDPR; data is stored for the period necessary to perform, terminate or otherwise expire the contract concluded;
• keeping the Seller’s accounting books – pursuant to Article 6(1)(c) GDPR in conjunction with Article 74(2) of the Accounting Act; data is stored for the period required by law;
• establishing, pursuing or defending claims that may be raised by the Seller or against the Seller – pursuant to Article 6(1)(f) GDPR; data is stored for the period of the legitimate interest pursued by the Seller, but no longer than the limitation period for claims;
• compiling statistics and analysing traffic within the Seller’s offerings – pursuant to Article 6(1)(f) GDPR (the controller’s legitimate interest); data is stored for the period of the legitimate interest pursued by the Seller, but no longer than the limitation period for claims;
• where the Buyer has given prior consent, the Buyer’s data will be processed for the purpose indicated in the consent – pursuant to Article 6(1)(a) GDPR; data is stored until the consent is withdrawn by the data subject for further processing for this purpose.
The Seller ensures that only persons authorised by the Seller are granted access and authorisation to process personal data.
4. Security Measures
Taking into account the state of the art, the cost of implementation, as well as the nature, scope, context and purposes of processing and the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Seller implements and maintains appropriate technical and organisational measures to ensure the highest level of data security.
5. Recipients of Personal Data
The Buyer’s personal data may be disclosed to the following recipients or categories of recipients:
• the selected carrier or intermediary performing shipments on behalf of the Seller – where applicable;
• providers supplying the Seller with technical, IT and organisational solutions enabling the conduct of business activity (in particular, providers of computer software, e‑mail and hosting services, and software for management and technical support), to the extent necessary to achieve the processing purpose consistent with this Policy;
• providers of accounting and legal services that provide the Seller with accounting, legal or advisory support (in particular an accounting office, law firm or debt collection company), to the extent necessary to achieve the processing purpose consistent with this Policy.
6. Rights of the Data Subject (Buyer)
A Buyer whose personal data is processed has the right to request from the Seller access to their personal data, rectification, erasure or restriction of processing, the right to object to processing, and the right to data portability. If the data is processed on the basis of consent, the Buyer has the right to withdraw consent at any time. A Buyer whose personal data is processed by the Seller has the right to lodge a complaint with a supervisory authority under the GDPR and Polish law, in particular with the President of the Personal Data Protection Office (Prezes UODO). To exercise the above rights, a relevant message may be sent in writing or through the form available in the offer description under the “About the Seller” tab in the “Contact” section.
Providing personal data by the Buyer is voluntary; however, failure to provide the data indicated as necessary for participation in the Transaction, i.e. placing an order and concluding a sales contract, will result in the inability to carry out the Transaction with the Seller. Data necessary to conclude a sales contract or participate in the Transaction is indicated each time on the Seller’s website.
7. Liability of Persons Authorised to Process Data
Failure by persons authorised by the Seller to process personal data to comply with this Policy, and any breach of data protection procedures by personnel authorised to process personal data, will result in the Seller enforcing liability as provided for by applicable law.