TABLE OF CONTENTS:
1.GENERAL PROVISIONS
1.1. This Store’s privacy policy is for informational purposes only, which means it does not constitute a source of obligations for Customers. The privacy policy primarily contains rules regarding the processing of personal data by the Administrator in the Store, including the basis, purposes, and scope of personal data processing and the rights of data subjects, as well as information regarding the use of cookies and analytical tools in the Store.
1.2. The controller of personal data collected via the Store is COBREY YACHTS SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ, with its registered office in Warsaw (registered office and service address: ul. Annopol 22b, 03-236 Warsaw), entered into the Register of Entrepreneurs of the National Court Register under KRS number 0000496649; registry court where the company’s documentation is kept: District Court for the capital city of Warsaw in Warsaw, 14th Commercial Division of the National Court Register; share capital: PLN 100,000; Tax Identification Number (NIP): 5361914089; National Business Registry Number (REGON): 146770934, e-mail address: info@cobrey.pl, telephone number: +48 798 322 022, hereinafter referred to as the “Controller” and also the Seller.
1.3. Personal data in the Store are processed by the Controller in accordance with applicable law, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – hereinafter referred to as “GDPR” or “GDPR Regulation”. Official text of the GDPR: http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELEX%3A32016R0679
1.4. Using the Store and personal data given is voluntary. Similarly, the provision of personal data by the Customer using the www.cobrey.pl website is voluntary, subject to two exceptions: (1) entering into contracts with the Controller – failure to provide the personal data required for the conclusion and performance of the Contract with the Controller in the cases and to the extent indicated in the Store Terms and Conditions and this Privacy Policy will result in the inability to enter into the contract. Providing personal data is a contractual requirement in such a case, and if the data subject wishes to enter into a contract with the Controller, they are obligated to provide the required data; (2) the Controller’s statutory obligations – providing personal data is a statutory requirement resulting from generally applicable legal provisions imposing on the Controller an obligation to process personal data (e.g., data processing for the purpose of maintaining tax or accounting records), and failure to provide such data will prevent the Controller from fulfilling these obligations.
1.5. The Controller exercises due diligence to protect the interests of the individuals whose personal data they process, and in particular is responsible for and ensures that the data they collect is: (1) processed lawfully; (2) collected for specified, legitimate purposes and not further processed incompatible with those purposes; (3) substantively accurate and adequate in relation to the purposes for which they are processed; (4) stored in a form which permits the identification of data subjects no longer than necessary to achieve the purpose of processing; and (5) processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage, using appropriate technical and organizational measures.
1.6. Taking into account the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity of violations of the rights and freedoms of natural persons, the Controller shall implement appropriate technical and organizational measures to ensure that processing is carried out in accordance with this Regulation and to be able to demonstrate this. These measures shall be reviewed and updated as necessary. The Controller shall apply technical measures to prevent unauthorized access and modification of personal data transmitted electronically.
1.7. All words, expressions and acronyms appearing in this privacy policy and beginning with a capital letter (e.g. Seller, Store, Customer, Product) should be understood in accordance with their definitions contained in the Store Regulations available at www.cobrey.pl.
2. BASICS OF DATA PROCESSING
2.1. The Controller is authorized to process personal data in cases where – and to the extent that – at least one of the following conditions is met: (1) the data subject has consented to the processing of their personal data for one or more specific purposes; (2) processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract; (3) processing is necessary to comply with a legal obligation to which the Controller is subject; or (4) processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data, in particular when the data subject is a child.
2.2. The processing of personal data by the Controller always requires the existence of at least one of the grounds indicated in point 2.1 of the privacy policy. The specific basis for processing Customers’ personal data by the Controller is indicated in the next section of the privacy policy – in relation to the specific purpose of personal data processing by the Controller.
3. PURPOSE, BASIS, AND PERIOD OF DATA PROCESSING IN THE STORE
3.1. Each time, the purpose, basis, period, and recipients of personal data processed by the Controller result from the actions taken by a given Customer. For example, if a Customer decides to submit an inquiry about the configuration, price, or delivery date of a Product or expresses their intention to enter into a Sales Agreement using the contact form available on the website www.cobrey.pl, their personal data will be processed for the purpose of submitting an offer for a Product or entering into a Sales Agreement for a Product.
3.2. The Controller may process personal data within the Store for the following purposes, on the basis, and for the periods indicated in the table below:
| PURPOSE OF DATA PROCESSING | PODSTAWA PRAWNA PRZETWARZANIA DANYCH | OKRES PRZECHOWYWANIA DANYCH |
| Execution of the Sales Agreement or taking action at the request of the data subject before concluding the above-mentioned agreements | Article 6(1)(b) of the GDPR (performance of a contract) – processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject before entering into a contract | The data is stored for the period necessary to execute, terminate or otherwise expire the concluded Sales Agreement. |
| Sending commercial information, including direct marketing, using telecommunications terminal equipment (e.g. e-mail, telephone) | Article 6(1)(f) of the GDPR Regulation (legitimate interest of the controller) – processing is necessary for the purposes of the legitimate interests of the Controller, which include direct marketing – consisting in taking care of the interests and good image of the Controller, its Store and striving to sell Products – for example in connection with the prior consent of the data subject to sending commercial information using telecommunications terminal equipment, such as e-mail or telephone | Data is stored for the duration of the legitimate interest pursued by the Controller, but no longer than the limitation period for the Controller’s claims against the data subject arising from the Controller’s business activities. The limitation period is specified by law, in particular the Civil Code (the basic limitation period for claims related to business activities is three years, and for sales contracts, two years). The Controller may not process data for direct marketing purposes if the data subject has effectively objected to this. Additionally, if the processing is based on consent, the data is stored until the data subject withdraws consent to further processing of their data for the purpose specified in that consent, but this does not affect the lawfulness of processing based on consent before its withdrawal. |
| Bookkeeping | Article 6 paragraph 1 letter c) of the GDPR Regulation in connection with Article 74 paragraph 2 of the Accounting Act of 30 January 2018 (Journal of Laws of 2018, item 395) – processing is necessary to fulfil a legal obligation incumbent on the Controller | The data is stored for the period required by law requiring the Controller to store accounting books (5 years, counted from the beginning of the year following the financial year to which the data relate). |
| Determining, pursuing or defending claims that may be raised by the Administrator or that may be raised against the Administrator | Article 6(1)(f) of the GDPR Regulation (legitimate interest of the controller) – processing is necessary for the purposes of the legitimate interests of the Controller – consisting in establishing, pursuing or defending claims that may be raised by the Controller or that may be raised against the Controller | The data is stored for the duration of the legitimate interest pursued by the Controller, but no longer than the limitation period for claims that may be brought against the Controller (the basic limitation period for claims against the Controller is six years). |
| Using the website and ensuring its proper functioning | Article 6(1)(f) of the GDPR Regulation (legitimate interest of the controller) – processing is necessary for the purposes of the legitimate interests of the Controller – consisting in running and maintaining the Store website | Data is stored for the duration of the legitimate interest pursued by the Controller, but no longer than the limitation period for the Controller’s claims against the data subject arising from the Controller’s business activities. The limitation period is specified by law, in particular the Civil Code (the basic limitation period for claims related to business activities is three years, and for Sales Agreements, two years). |
| Maintaining statistics and analyzing website traffic | Article 6(1)(f) of the GDPR Regulation (legitimate interest of the Controller) – processing is necessary for the purposes of the legitimate interests of the Controller – consisting in keeping statistics and analysing traffic in the Store in order to improve the functioning of the Store and increase the sales of Products | Data is stored for the duration of the legitimate interest pursued by the Controller, but no longer than the limitation period for the Controller’s claims against the data subject arising from the Controller’s business activities. The limitation period is specified by law, in particular the Civil Code (the basic limitation period for claims related to business activities is three years, and for Sales Agreements, two years). |
4. DATA RECIPIENTS IN THE STORE
4.1. For the proper functioning of the Store, including the execution of concluded Sales Agreements, the Controller must use the services of external entities (such as a payment processor). The Controller only uses the services of processors who provide sufficient guarantees for the implementation of appropriate technical and organizational measures so that the processing meets the requirements of the GDPR Regulation and protects the rights of data subjects.
4.2. Personal data may be transferred by the Controller to a third country, and the Controller ensures that in such a case, this will be done to a country ensuring an adequate level of protection – consistent with the GDPR Regulation. In the case of other countries, the transfer will take place based on standard data protection clauses. The Controller ensures that data subjects have the opportunity to obtain a copy of their data. The Controller transfers collected personal data only when and to the extent necessary to achieve the given data processing purpose, in accordance with this privacy policy.
4.3. The Controller does not transfer data in every case and not to all recipients or categories of recipients indicated in the privacy policy – the Controller transfers data only when it is necessary to fulfill a given personal data processing purpose and only to the extent necessary to fulfill that purpose. For example, if a Customer collects a Product from the Seller’s registered office, their data will not be transferred to a carrier cooperating with the Controller.
4.4. The personal data of Store Customers may be transferred to the following recipients or categories of recipients:
4.4.1. entities processing electronic or credit card payments – in the case of a Customer who uses electronic or credit card payments, the Controller shares the collected personal data of the Customer with the selected entity processing these payments at the Controller’s request, to the extent necessary to process the payment made by the Customer.
4.4.2. lessors – in the case of a Customer who uses the services of leasing companies, the Controller shares the collected personal data of the Customer with the designated lessor that serves the Customer.
4.4.3. Service providers providing the Controller with technical, IT, and organizational solutions enabling the Controller to conduct business activities, including the Store (in particular, computer software providers for operating the Store, email and hosting providers, and software providers for managing the company and providing technical support to the Controller) – the Controller shares the collected personal data of the Customer with a selected provider acting on its behalf only in the event and to the extent necessary to achieve a given data processing purpose consistent with this privacy policy.
4.4.4. Accounting, legal, and advisory service providers providing the Controller with accounting, legal, or advisory support (in particular, an accounting office, law firm, or debt collection agency) – the Controller shares the collected personal data of the Customer with a selected provider acting on its behalf only in the event and to the extent necessary to achieve a given data processing purpose consistent with this privacy policy.
5. RIGHTS OF THE DATA SUBJECT
5.1. Right of access, rectification, restriction, erasure, or portability – the data subject has the right to request access to their personal data from the Controller, to rectify, erase, or restrict processing, and has the right to object to processing and the right to data portability. Detailed conditions for exercising the above-mentioned rights are set out in Articles 15-21 of the GDPR.
5.2. Right to withdraw consent at any time – the data subject whose data is processed by the Controller based on consent (pursuant to Article 6(1)(a) or Article 9(2)(a) of the GDPR) has the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
5.3. Right to lodge a complaint with a supervisory authority – the data subject whose data is processed by the Controller has the right to lodge a complaint with a supervisory authority in the manner and procedure specified in the provisions of the GDPR Regulation and Polish law, in particular the Personal Data Protection Act. The supervisory authority in Poland is the President of the Personal Data Protection Office.
5.4. Right to object – The data subject has the right to object at any time, on grounds relating to their particular situation, to the processing of personal data concerning them based on Article 6(1)(e) (public interest or task) or (f) (legitimate interest of the controller), including profiling based on these provisions. In such a case, the controller is no longer permitted to process the personal data unless they demonstrate compelling legitimate grounds for processing that override the interests, rights, and freedoms of the data subject, or grounds for the establishment, exercise, or defense of legal claims.
5.5. Right to object to direct marketing – If personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning them for such marketing purposes, including profiling, to the extent that the processing is related to such direct marketing.
5.6. In order to exercise the rights referred to in this point of the privacy policy, you can contact the Administrator by sending an appropriate message in writing or by e-mail to the Administrator’s address indicated at the beginning of the privacy policy or using the contact form available on the Store’s website.
