Privacy policy

PRIVACY POLICY

The Customer’s personal data shall be processed according to the safety rules, required by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR)

1. The Data Controller

MB Distribution S.A.

ul. Polska 22/5

00-703 Warsaw, Poland

e-mail: customercare@magdabutrym.com

entered into the Register of Entrepreneurs kept by Regional Court in Warsaw, XII Department of the National Court under the number KRS: 0000834250

NIP (Taxpayer ID number): 5252770912

The Service Provider is the data controller within the meaning of GDPR).

For any inquiries about the Privacy Policy or the processing of the Customer’s data, please contact customercare@magdabutrym.com.

2. The legal basis for processing personal data

The Controller processes the Customer’s personal data:

in order to correctly perform Services, which is justified by the performance of a contract (article 6 paragraph 1 point b).
in order to perform marketing with the prior consent of the Customer (article 6 paragraph 1 point a)
in order to assure compliance with a legal obligation (e.g. tax and accounting laws) to which the Controller is subject (article 6 paragraph 1 point c)
when it is necessary for the purposes of the legitimate interests pursued by the Controller:
- direct marketing (in situations where we deem it appropriate to inform the Customer our new services or changes to our offer)
- security (e.g. fraud detection and loss prevention, acting against any wrongdoing that may affect the Customer and the Service Provider)
- business development (e.g. improving Services and products offered by the Service Provider).
- protection against the assertion of claims (e.g. we store data on completed orders, received returns, and complaints for possible further complaints or legal proceedings)

3. The period for processing personal data

The Controller will only retain the Customer’s information for as long as is necessary for the purposes described in this Privacy Policy, but not longer than 6 years. However, the Service Provider may continue to store and process the Customer’s personal data in order to comply with various finance and tax-related legal obligations and/or for business development purposes.

4. Categories of data collected

The Controller collects, stores, and processes the following categories of data:

the Customer’s identification data: first and last name, address, location at the time of purchase, phone number, e-mail address, IP address
signs which identify the device or software that the Customer used
information of the Customer’s use of website
any other information provided by the Customer when contacting the customer service.

The Service Provider may on occasion process data collected directly from the Customer with data accessible from publicly available sources (e.g. social media platforms and third-party websites) for purposes characterized as the legitimate interest of the Service Provider.

5. Receivers of personal data

The Controller does not disclose the Customer’s personal data, except:

when it is required to comply with a legal obligation or to respond to any lawful request from a competent authority
with payment operators and banks
with external service providers, responsible for the IT, the customer service, landed cost calculation, shipping, order fulfillment, and email marketing
with other entities within our capital group, where this is necessary for the performance of a contract or for other purposes for which we collect data (e.g. due to the division of responsibilities between entities within the group).

6. International transfers

The personal data that the Controller collected from the Customer is stored within the European Union (EU) but may also, whenever necessary, be transferred to and processed in a country outside of the EU by third parties, such as Payments System Operators, order fulfillment services, shipping service - for example, if you order goods with delivery to an address outside the EU. Also we may share data with entities from our group which are operating outside the EU if the Customer is also based outside the EU to improve the Customers experience when using our services in the future, e.g. by informing about our activities or services in your country/region.

Any such transfer of Customer’s personal data will be carried out in compliance with applicable laws and without undermining Customer’s statutory rights. We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission, or with whom we have put in place appropriate measures to ensure that data is adequately protected. These measures will usually include use of approved standard contractual clauses.

7. Profiling

The Controller does not use profiling or automated decision-making.

8. The subject's rights under the General Data Protection Regulation

8.1. Right to access

As a data subject, the Customer has the right to request information on the processing of the personal data held by the Controller. To access this information, please contact customercare@magdabutrym.com.

8.2. Right to rectification

As a data subject, the Customer can have their personal data rectified if the Controller is processing the personal data that is no longer accurate.

8.3. Right to erasure

As a data subject, the Customer can have their personal data erased, which is no longer necessary for the The Controller. The request can be declined for legal/security reasons, if the the Controller is obligated by law to keep data or e.g. Customer’s order has not yet been delivered, or if the Customer has an ongoing matter with the customer service.

8.4. Right to restriction of processing

As a data subject, the Customer has the right to restrict the processing of their personal data. The Service Provider will not continue to process the personal data unless it can demonstrate a legitimate reason for data processing that overrides the interest and rights of the Customer.

If the Customer is of the opinion that the Controller is processing inaccurate personal data about the Customer, the Customer has the right to have the processing restricted until it can be determined whether or not the personal data in question are accurate or not.

The Customer has the right to have the processing of their personal data restricted if the Controller is processing the personal data illegally, due to the fact, that the personal data is no longer necessary for the task, where the personal data is used, however, the personal data is necessary to the Customer for later determining, defending or making a legal claim.

8.5. Right to data portability

The right to data portability implies that the Customer can request transfer of their personal data to another controller if they have provided the personal data to the Controller.

8.6. The objection against direct marketing

As a data subject, the Customer has the right to object to the processing of their personal data for direct marketing.

8.7. Right to withdraw the consent

If the Customer has consented to the Controller processing of personal data, the Customer can at any time withdraw their consent. Withdrawing the consent will however not affect the legality of the processing, which has already taken place.

9.8. Right to lodge a complaint with a supervisory authority

As a data subject, if the Customer is of the opinion that the Controller does not comply with its obligations under the General Data Protection Regulation, the Customer has the right, at any time, to lodge a complaint with the Office of the President for Personal Data Protection (Urząd Ochrony Danych Osobowych).

Office of the President for Personal Data Protection

Urząd Ochrony Danych Osobowych

Stawki 2

00-193 Warsaw

Poland

Tel. +48 22 531 03 00

Fax +48 22 531 03 01

E-mail: kancelaria@uodo.gov.pl