WWW.KUFADESIGN.COM ONLINE SHOP
1. The Data Controller for the processing of data collected through the
www.kufadesign.com online Shop is Bartłomiej Polak trading as KUFA.DESIGN –
Bartłomiej Polak entered into the Central Registration and Information on Business
(CEIDG) kept by the minister in charge of economy, HQ address: ul. Skrajna 19a/8, 43-
400 Cieszyn, Poland, principal place of business: ul. Sejmowa 2/6, 43-400 Cieszyn,
Poland, tax identification number NIP: 6262863633, statistical number REGON:
366806768, email address: email@example.com, firstname.lastname@example.org,
telephone number: +48 518 702 149, hereinafter referred to as “Data Controller” or
2. Personal data collected by the Data Controller via the website are processed in
accordance with the Regulation (EU) 2016/679 of the European Parliament and of the
Council of 27 April 2016 on the protection of natural persons with regard to the
processing of personal data and on the free movement of such data, and repealing
Directive 95/46/WE (General Data Protection Regulation), hereinafter referred to as the
“Definitions” section of the www.kufadesign.com Terms and Conditions.
TYPE OF PERSONAL DATA PROCESSED, PURPOSE AND SCOPE OF DATA COLLECTION
1. PURPOSE AND LEGAL BASIS OF PROCESSING. The Data Controller shall process a User’s
personal data in the following circumstances:
a) Order placement with www.kufadesign.com, for the purpose of performance of the
sales agreement as prescribed under Article 6 (1) (b) of the GDPR (performance of
the sales agreement),
b) Newsletter subscription, for the purpose of sending electronic marketing
communications. The data are processed only after a prior express consent is
obtained from the User, in accordance with Article 6 (1) (a) of the GDPR.
2. TYPE OF THE PERSONALL DATA PROCESSED.
In order to:
a) place an Order with www.kufadesign.com the User submits:
Name and surname,
b) subscribe to a Newsletter the User submits:
Name and surname,
3. PERSONAL DATA STORAGE PERIOD.
Personal data submitted by Users are retained by
the Data Controller for the following retention periods:
a) If the lawful basis is agreement performance: personal data are stored for as long as
necessary for the performance of an agreement, and thereafter until the expiry of
any statutory period of prescription or limitation. Unless a specific regulation
provides otherwise the limitation period is six years, whereas for claims concerning
periodical performances and claims connected with conducting business activity –
b) If the lawful basis is consent: personal data are stored until withdrawal of consent,
and thereafter until the expiry of any statutory period of prescription or limitation for
claims that may be raised by the Data Controller or that may be brought against the
Data Controller. Unless a specific regulation provides otherwise the limitation period
is six years, whereas for claims concerning periodical performances and claims
connected with conducting business activity – three years.
4. The Data Controller may collect additional User information, including, in particular: a
User’s computer IP address, the IP address of the internet provider, domain name,
browser type, duration of a visit, operating system.
5. If the Data Subject has given a separate consent to such processing (Article 6 (1) (a)
GDPR) their personal data may be processed for the purpose of sending electronic
marketing messages or for direct marketing via telephone – in accordance with Article 10
section 2 of the Act on the Provision of Electronic Services of 18 July 2002 or Article 172,
section 1 of the Telecommunications Law Act of 16 July 2004, including profiled
marketing communications if the Data Subject has consented to receive such
6. The Data Controller may collect navigational data, including links and references
followed by the User or information about the User’s activity on the Website. The legal
basis for such processing is the legitimate interest of the Data Controller (Article 6 (1) (f)
of the GDPR), insofar as this data is used to provide an easier access to the electronic
services rendered via the Website and to facilitate the functionality of these services.
7. Submitting personal data to www.kufadesign.com is voluntary.
8. The personal data collected via the Website is subject to automatic processing through
profiling if the data subject has consented to such processing (Article 6 (1) (a) of the
GDPR). As a result of profiling a profile is built of each data subject which enables the
Data Controller to take decisions concerning Users as well as to analyse or predict their
personal preferences, behaviours and attitudes.
9. The Data Controller shall take all reasonable steps to protect the interests of data
subjects and ensure that all data is:
a) lawfully processed,
b) obtained only for specified, lawful purposes, and not further processed in any
manner incompatible with those purposes,
c) factually correct, adequate and relevant in relation to the purposes for which it is
processed; stored in a form that permits identification of the data subject, for no
longer than is necessary for those purposes.
THIRD PARTY ACCESS TO PERSONAL INFORMATION
1. Users’ personal information is shared with third party services providers to enable the
Service Provider to run his business via www.kufadesign.com. Depending on contractual
arrangements and circumstances, those third-party services providers either process
personal data on the Data Controller’s instructions (processors) or themselves determine
the purposes for which and the manner in which personal data is processed (controllers).
2. The Users’ personal data is stored only within the European Economic Area (EEA).
RIGHT OF CONTROLL, ACCESS AND RECTIFICATION
1. Every User has a right to access and/or rectify his personal data as well as the right to
erasure, the right to restrict processing, the right to data portability, the right to object to
processing and the right to withdraw consent at any time without affecting the
lawfulness of processing based on consent before its withdrawal.
2. Legal basis for data subjects’ rights:
a) Access to personal data – Article 15 of the GDPR
b) Rectification of personal data – Article 16 of the GDPR,
c) Erasure of personal data (right to be forgotten) – Article 17 of the GDPR,
d) Restriction of data processing – Article 18 of the GDPR,
e) Data portability – Article 20 of the GDPR,
f) Objection to processing – Article 21 of the GDPR,
g) Withdrawal of consent to processing – Article 7 (3) of the GDPR.
3. The User may exercise his rights under point 2 by sending an email message to:
4. If any request is received in relation to a data subject’s rights, the Data Controller must
comply with or refuse to act on a User’s request without delay but not later than within a
month of receiving the request. However, if a request is complex or if the Data Controller
receives more requests, the Data Controller may extend the time to respond by a further
two months. If this is the case the Data Controller shall inform the User within one
month of receiving their request and explain why the extension is necessary.
5. If the data subject considers that, in connection with personal data relating to him or
her, there is an infringement of the GDPR, the data subject may make a complaint to the
President of the Personal Data Protection Office.
2. Cookies are essential for the provision of electronic services via the Shop. Cookies,
contain information that is necessary for the proper functioning of the Shop and for the
statistical analysis of website traffic.
3. The website uses two types of cookies: “session” cookies and “persistent” cookies.
a) “Session” cookies are temporary files which are stored on the User’s end-device
until they log out (leave the website).
b) “Persistent” cookies remain stored on the User’s device until deleted manually or
automatically after a set period of time.
4. The Data Controller uses their own cookies to provide information on how individual
Users interact with the Website. These files collect information about how Users use the
website, what type of website referred the User to www.kufadesign.com, the frequency
of visits and the time of each visit. This information does not register the Users’ personal
data and is used solely for statistical analysis of website traffic.
5. The Data Controller uses third party cookies for the purpose of collecting general and
anonymous static data by means of Google Analytics, a web analysis tool (Data controller
for third party cookies: Google Inc. based in USA).
6. The User can adjust cookie permissions via options in their browser settings. More
detailed information about cookie management with specific web browsers can be found
in the browsers’ respective settings.
1. The Data Controller shall implement all necessary technical and organisational security
measures to safeguard the data during processing ensuring a level of security
appropriate to the nature of the data to be protected and, in particular, protect the data
against unauthorised access, takeover, processing in violation of law, alteration, loss,
damage or destruction.
2. The Service Provider shall take appropriate technical measures to safeguard the
electronic personal data against unauthorised interception or modification.
apply as well as applicable provisions of Polish law.