§ 1. Definitions
Internet Service means platform/server operating under www address
External Service means internet services provided by the Collector’s partners, contractors or customers
· Personal Data Controller (hereinafter ‘Controller’) – TREC NUTRITION sp. z o.o. with its registered office in Gdynia, ul. Śmidowicza 48, 81-127 Gdynia, entered into the National Court Register of the District Court Gdańsk-Północ in Gdańsk, 8th Commercial Department of the National Court Register under the KRS number: 0000315748, NIP: 9581602454, REGON: 220696468, share capital: PLN 50, 500.00 acting as an entity responsible for the website administration and collecting and having access to personal data of data subjects on a User’s device.
User means a natural person or any other person acting on behalf of the natural person to whom Personal Data Controller provides services electronically via Service
Device means electronic device and related software, by means of which the User may access the Service.
Cookies mean small files that are recorded and stored on a User’s Device.
§ 2. Personal Data Controller, contact data
The Controller of a User’s personal data is TREC NUTRITION sp. z o.o. with its registered office in Gdynia, ul. Śmidowicza 48, 81-127 Gdynia, entered into the National Court Register of the District Court Gdańsk-Północ in Gdańsk, 8th Commercial Department of the National Court Register under the KRS number: 0000315748, NIP: 9581602454, REGON: 220696468, share capital: PLN 50, 500.00
· In all matters related to personal data protection, please contact the Inspector of Personal Data Protection indicated by the Controller, by sending an email to the following email address: firstname.lastname@example.org, or call on +48 58 660 13 51, or send a letter at ul. Śmidowicza 48, 81-127 Gdynia.
§ 3. Principles and lawfulness related to processing of Personal Data
In order to demonstrate compliance with the regulations with regard to the processing of personal data and ensure the adequate level of protection and security in order to safeguard the rights and freedoms for our customers, employees, contractors and partners, TREC NUTRITION sp. z o.o. implemented the personal data protection policy and other procedures that are in line with ‘accountability’ principle (‘lawfulness, fairness and transparency’) under Art. 5 of the GDPR.
I. The Controller shall collect personal data and the processing of personal data of data subjects shall be lawful and to the extent set out below:
· processing is necessary for the performance of a contract of sale or an agreement for the provision of electronic services or to take steps at the request of the data subject to which the data subject is a party prior to entering into the abovesaid contracts or agreements (Art. 6 para. 1 letter b of the GDPR); personal data shall be stored for the period necessary to perform, terminate or otherwise expire of the Contract of Sale of the agreement for the Provision of Electronic Service;
· processing is necessary for compliance with a legal obligation to which the Controller is subject (Art. 6 para. 1 letter c of the GDPR); in order to provide bookkeeping or accounting services, personal data shall be stored for the period required by law and regulations which require the Controller to retain such Records (until the expiry of the limitation period for tax liability unless tax regulations provide otherwise) or Accounting Books (for the 5-year period commencing at the start of the year following the fiscal year to which such data pertain);
· processing is necessary for the purpose of the legitimate interests pursued by the Controller (Art.6 para.1 letter f of the GDPR) in connection with the processing and handling queries via phone, electronically or in relation to social media channels; personal data shall be stored for as long as it is necessary to fulfil the purpose for which the data have been collected;
· direct marketing pursued in connection with the legitimate interest of the Controller (Art.6 para. 1 letter f of the GDPR) in relation to protecting vital interests, good image and reputation of the Controller, the Controller’s Online Shop and the Controller’s intent to sell Products; personal data shall be stored for as long as the legitimate interest of the Controller is pursued, however no longer than for the statute of limitations as regards the processing of personal data in connection with the Controller’s business activity. The limitation period is specified by the law, including without limitation the Civil Code (for claims connected with conducting business activity the standard limitation period being 3 years, and for claims for periodical performance - a Contract of Sale – 2 years); in order to be entitled to the processing of personal data for the purpose of direct marketing, the Controller must obtain a person’s consent subject to such personal data;
· Your personal data subject to the processing under Art.6 para.1 letter f of the GDPR shall be profiled and customised according to Your interests which shall be determined and evaluated based on the content browsed by You on the Controller’s websites and based on statistical analysis and prediction made by the Controller in order to excel the Controller’s marketing services; based on the obtained consent under Art.6 para.1 letter f of the GDPR, personal data shall be stored until the consent to the intended further processing of data subjects by the person subject to these personal data is revoked;
· Your consent to the processing of personal data in the form of Cookie files in order to personalise, customise, save your preferences or settings, inter alia IP address, date, login time, shall be the basis for such processing and Your personal data shall be stored until such consent is withdrawn;
· Establishing, exercising or protection of rights by the Controller or vested in the Controller, in connection with the Controller’s legitimate interests or exercised by a third party (Art. 6 para.1 of the GDPR) with regard to establishing, exercising or protection of such rights by the Controller or against the Controller; personal data shall be stored for as long as the legitimate interests of the Controller persists, however, no longer than the limitation period);
II. The Controller shall safeguard the personal data by applying and implementing applying appropriate technical and organisational measures for ensuring the security of the processing any breach of security leading to the accidental, or unlawful destruction, loss, alteration or unauthorised disclosure of or access to personal data.
III. Personal data collected lawfully to pursue the abovementioned purposes shall be processed for the period necessary to pursue the said purposes, including the performance of the contract or public interest or in the exercise of official authority vested in the Controller.
IV. The Controller shall comply with the transparency of processing operations and processing procedures:
· by notifying of the processing of personal data upon the collection of such data, in particular the extent, purpose and legislative framework for the processing of personal data, unless separate regulations state otherwise,
· ensuring that the data are collected only to the extent required by the specified, explicit and legitimate purpose and not further processed in a manner that is incompatible with those purposes.
V. At all times, when processing the personal data, the Collectors shall protect and safeguard the integrity and confidentiality of personal data and access of data subjects to such personal data. In the event, despite appropriate security measures, of personal data breach (e.g. ‘leakage’ or loss of personal data) leading to the violation of rights and freedom of data subjects highly likely, the Controller shall notify data subject of such infringement in a manner specified in the applicable regulations.
VI. The Controller shall make all the necessary endavours to ensure that the Controller, its contractors and related business partners commit to provide for all appropriate safeguards for the rights and interests of the data subjects when process personal data on behalf of the Controller.
VII. The Controller shall carry out ongoing risk assessment and monitor the adequacy of all applied safeguards in order to identify potential risks. Should it be necessary, the Controller shall implement additional security measures to ensure proper level of protection of personal data.
§ 4. Social media
I. The Controller owns public profiles on social media platforms Facebook and LinkedIn. Therefore, the Controller processes personal data of persons who visit these profiles (inter alia comments, likes, internet identifiers). Personal data of these visitors are processed in order to enable them be active users on these profiles, in order to improve the usability and functionality of profiles by providing visitors with information on actions and activities related to promoting various events, services and products, for statistical and analytical purposes and to exercise your rights or defend against claims. The legal framework for processing of personal data on social media is legitimate interest of the Controller (Art. 6 para. 1 letter f of the GDPR) with regard to promoting the brand of the Controller and improving quality of provided services, informing and presenting results and direct communication with our online offerings , and if necessary – to exercise the rights or defend against claims.
II. We process personal data, if such personal data is transmitted online and by means of platforms or portals, e.g. by publishing articles about online activity or sending notifications or messages. Moreover, Facebook may, inter alia provide reporting metrics and insights (e.g. total number of page views, page likes, actions on page, posts, videos, reach, comments, reactions, shares, messages, etc.) that help us better understand and define interests and preferences, thus we can improve on the attractiveness of our articles or the presentation or choose adequate time for publishing. Our internet websites use links to social media platforms, which prevents transmitting of our users’ personal data to social media networks without their consent requested upon visiting our website. The links aim to establish the connection between our online activity in a given social media exclusively upon request - which is enabled after clicking on a link by a user. After clicking on the link, the IP address, general information from the header of the user's browser is sent to the respective social network. The respective social network may collect further personal data as soon as you make use of its offers. For example, if you are logged in to your account, Facebook can associate your visit with your account. Please note that we are not aware of the content of the personal data transmitted in the further process or their use by social networks.
§ 5. Data portability and transfer or disclosures to various Recipients
I. The recipients of data subjects’ personal data, depending on the purpose of the processing, may be e.g. IT solution providers, telecommunications service providers, related partners, persons using websites or social networks with regard to data published there, competent public authorities, agencies or another body as well as any authorised natural and legal persons acting for and on behalf of the Controller.
II. Transfer of personal data to Trusted Partners
The personal data may be made available to the Controller's Trusted Partners based on the legitimate interest of the Controller or on the basis of consent. It is about sharing your personal data stored in cookies on your devices and its cache (including data provided in the browsing history and data collected during your activity in services) and location data generated by your device - for marketing purposes (including automated analysis of Your activities on websites (cookies, etc.) on your devices and reading such tags.
The above section applies to the processing of your personal data for marketing purposes by Trusted Partners, Trusted Partners being e-commerce companies, advertisers or similar organisations the Controller cooperates with. The list of Trusted Partners can be found on the last page of this document.
Transfer of personal data outside EEA
Our partners are based mainly in the countries withing the European Commercial Area (EEA) or in Switzerland, recognised as the country that meets an adequate level of personal data protection. Some of our Trusted Partners, e.g. Google or Facebook, are based outside the EEA, therefore we transfer personal data outside the EEA only when necessary, ensuring an adequate level of protection, primarily through:
· having business relations with entities which process Personal Data in countries where an adequate level of protection of Personal Data is ensured pursuant to the European Commission’s decision;
· ensuring compliance with the European Commission’s standard contractual clauses;
· applying binding corporate rules approved by the competent regulatory authority.
Users are entitled to request access to their personal data, rectify, delete or restrict the extent of the processing, transfer their personal data or file a complaint to the Inspector of the Personal Data Protection Office, should their personal data be, in their discretion, processed contrary to the provisions of the above-mentioned regulation.
III. Users are entitled to object to the processing of personal data when such processing is carried out on the basis of a legitimate interest or consent to promotional activities. In the event that the processing of personal data is carried out on the basis of the data subject having consented to processing of personal data, they are entitled to withdraw such consent. This withdrawal does not affect the compliance of the processing with the applicable law, which was made on the basis of consent prior to its withdrawal.
IV. Rejection of the request or withdrawal of consent can be expressed by sending a letter to the following email address email@example.com or the Controller’s office address.
If you wish to obtain information or wish to exercise any of your rights, please contact the relevant controller directly. This is because only the relevant controllers have access to your personal data and can provide you with relevant information and, if necessary, take further action. If you need help in exercising your rights, you can contact us at any time.
More details on the data processing by the respective controller as well as the requirements for rejection (opt-out) can be found in the information provided by the respective controller.
§ 6. Types of cookies used
I. Cookies used by the Controller are safe for the User’s Device. In particular, this way it is not possible for viruses or ransomware, spyware or malware to enter Users' Devices. These files allow to identify the software used by the User and customise the site’s settings individually to each User in accordance with the agreement. Cookies usually contain the name of the domain they come from, storage time on the User’s Device and the assigned value.
II. The Controller uses the following types of cookies:
· Session (Transient) cookies are stored on the User's Device and remain there until the end of the browser session. The data are then permanently deleted from the memory of the Device. The mechanism of session cookies does not allow the collection of any personal data or any confidential information from the User's Device;
· Persistent (Permanent) cookies are stored on the User's Device and remain there until expired or deleted. Ending a browser session or turning off the Device does not delete them from the User's Device. The persistent cookies mechanism does not allow for the collection of any personal data or any confidential information from the User's Device.
· Necessary cookies are cookies that enable our website to function. They support the basic technical functions enabling users to log into secure areas of the website and use a shopping cart. The use of these cookies does not require your consent and they are saved on your device by default. They are active for the duration of your visit to the site or a little longer. You can block these cookies using your browser settings.
· Analytics cookies
[opt-out cookies are marked consent by default; consent cannot be selected by default; consent is marked if “continue” was selected in the pop-up]
We wish to get insight into how You, as a User, use our service. Profiling User’s activity will allow us to gather metrics and statistics which will help us improve our service. For this purpose, we use Google Analytics and Google Tag Manager . The activity period is maximum 26 months.
III. The User may limit or disable access of cookies to User’s Device as set out in § 8. Should you opt for this, the use of the Website will be limited to functions, which, due to their nature, do not require cookies.
§ 7. Purposes for which cookies are used
I. The Controller shall deploy its own (first-party) Cookies to optimise configuration of the service, and in particular to:
· tailor web page content to User's preferences and thus optimise for usability and make website more operational;
· recognise the Website User's device and its location and select websites tailored to User’s individual preferences;
· remember the settings selected by the User and personalise the User's interface, e.g. with regard to User’s respective language or region;
· remember the history of multiple visits online in order to customise content;
· font size, website design (visual appearance), etc.
II. The Controller shall deploy its own (first-party) Cookies to authenticate the user on the website and ensure sessions and interaction with the site, in particular to:
· maintain the Website User's session (after logging in), thanks to which the User does not have to re-enter the login and password on each subpage of the Website;
· ensure proper configuration of selected Website functions, allowing in particular verification of the authenticity of the browser session;
· optimise and improve the efficiency of services provided by the Controller.
III. The Controller deploys its own cookies to implement the processes necessary for the full functionality of the website, in particular:
· tailor the web content to the User's preferences and optimise for usability of web pages. In particular, these files are designed to allow the website to recognise the basic parameters of the User's Device and display the webpage tailored to his or her individual preferences;
IV. The Controller deploys its own cookies to remember a choice user makes over a site’s settings, and in particular to correctly configure selected functions of the Website to enable the tailoring of the content provided to the User, taking into account his or her previous interactions with the website.
V. The Controller deploys first-party and third-party cookies for analytics strategies and online audience audit, in particular content audit to gather analytics data (about User behaviour) which allows to assess how well the content meets audience needs and allows for improvements.
VI. The service processor uses third-party cookies to log into the website using the Google social networking site (external cookie processor : Google Inc. based in the USA).
VII. The service processor uses third-party cookies to popularize the website using social networking sites Facebook (controller of third party cookies: Facebook Irleand)
§8 Cookie management and access
II. The user may at any time delete cookies using the functions integrated in the web browser.
IV. The processing of personal data is carried out for the purpose of providing services electronically. The controller is entitled to process any personal data that are required to provide the service. Personal data that are not necessary to provide the service may be processed by the Controller only with the consent.
V. Each data subject has the right to access their data, to modify them or request deletion. For this purpose, please contact the Controller by letter or by e-mail to the firstname.lastname@example.org.
VI. Data subjects may at any time remove their Account from the Website. All User's data will be permanently and irretrievably deleted upon such deletion.
VII. If the User submits a request to delete the personal data provided in the Account registration form, further provision of the service is impossible for technical reasons.
§ 9 Storage period and third-party access to Cookie files
Any international transfer or processing of personal data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if the processing takes place in the context of the use of third-party services or any disclosure or transfer of personal data to any third parties, whether person, body or organisation, will only be done if it is to: fulfill our (pre-) contractual obligations, subject to express consent or contractual or legally required transfer. We process or transfer personal data only in third countries with recognised level of data protection and safeguards specified in Art. 44-47 of the GDPR. This means that the processing is carried out based on certain special guarantees such as officially recognised specific contractual obligation s, (the so called “standard protection clauses").
Therefore, the Controller transfers Personal Data outside the EEA only when it is necessary, with an adequate level of protection in place, in particular:
· when cooperating with entities processing Personal Data in countries for subject to the European Commission clause regarding the assurance of an adequate level of protection of Personal Data;
· when applying standard contractual clauses;
· when applying binding corporate rules approved by the competent regulatory authority.
The Controller always informs about the intention to transfer Personal Data outside the EEA upon collection of such personal data.
Only in exceptional cases may your full IP address be sent to a Google server in the USA.
II. Changes made will always be published on this page. The current version published on our website shall apply.
The changes implemented shall become effective on the day of publication.