INFORMATION ABOUT THE DATA CONTROLLER FOR RAINBOW COMMERCE CUSTOMERS
pursuant to Article 13 GDPR
1. The Controller of the personal data is RAINBOW COMMERCE Sp. z o.o. with its registered office in Warsaw, Bartycka St., 22B/21A, 00 - 716 Warsaw, KRS No.: 0000886995 (hereinafter referred to as "Controller"), e-mail address: contact@rainbow-commerce.com.
2. The purpose of processing personal data is:
a) concluding a contract for sale of goods with the Controller;
b) the performance of customer identification by the Controller in performance of its obligation under Article 34(1)(2) of the Anti-Money Laundering and Countering the Financing of Terrorism Act of 1 March 2018. (hereinafter referred to as the "AMLA”).
4. The legal basis for the processing of personal data is:
a) insofar as the processing of personal data is necessary for the performance of the contract concluded with you referred to in paragraph 2(a) above - Article 6(1)(b) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter "the GDPR”);
b) to the extent in which the processing of personal data is necessary for the identification of the Controller's customer - Article 6(1)(c) of the GDPR, i.e. the necessity of the processing for compliance with a legal obligation to which the Controller is subject;
c) insofar as the processing of personal data is necessary for the Controller to fulfil legal obligations arising from accounting regulations - Article 6(1)(c) of the GDPR;
d) insofar as the processing of personal data proves necessary for the establishment, investigation or defence of the Controller's claims, Article 6(1)(f) of the GDPR, pursuit by the Controller of its legitimate interests.
5. Personal data can be made available by the Controller to the General Inspector of Financial Information in accordance with the requirements of the AMLA. Personal data may also be entrusted by the Controller to other third parties providing ongoing services to the Controller, e.g. in the field of legal or accounting services, as well as in situations in which such an obligation clearly results from a demand of an authorized public authority or from the applicable provisions of commonly binding law. Personal data may also be transferred to the extent necessary to companies within the RAINBOW COMMERCE capital group. Personal data may be transferred to countries outside the European Economic Area, but only to those for which the European Commission has issued a decision declaring an adequate level of protection of personal data within the meaning of Article 45 GDPR.
6. Personal data may be stored by the Controller for a period of:
- 5 years, counting from the date of termination of business relations with the Controller or from the date of execution of an occasional transaction in accordance with Article 49 of the AMLA; - the end of the limitation period for claims arising from the contract referred to in paragraph 2(a) above, which is generally 6 years counted from the end of the year in which the claim under the contract became due in the case of customers who are not entrepreneurs and 3 years counted from the end of the year in which the claim under the contract became due in the case of customers who are entrepreneurs;
- the end of the obligatory period for keeping tax records containing personal data, which as a rule is 5 years counted from the end of the year in which the deadline for tax payment expired;
- the final conclusion of the investigation, determination or defense of claims in judicial or extrajudicial proceedings and enforcement of the judgment;
depending on which of the aforementioned deadlines ends at the latest.
7. You have the right to:
• demand access to the personal data processed by the Controller, i.e. obtain the information listed in Article 15 GDPR, i.e. in particular about the purposes and scope of processing;
• demand that the Controller rectify or complete the personal data if they are incorrect or incomplete;
• request the erasure of personal data by the Controller in cases referred to in Article 17 of the GDPR, in particular if the processing of personal data is not necessary for the purposes for which the data have been collected;
• request for restriction of processing of personal data by the Controller, i.e. for the Controller not to carry out any processing of personal data beyond the mere storage thereof, in situations referred to in Article 18 of the GDPR;
• to object to the processing of your personal data by the Controller, where the basis for the processing of your personal data is Article 6(1)(f) of the GDPR;
• make a complaint to the President of the Office for Personal Data Protection if you believe that the processing of your data by the Controller infringes the provisions of the GDPR.
8. Provision of personal data to the Controller is entirely voluntary, but it is necessary in order for the Controller to provide the services referred to in paragraph 2 a) above.
9. Personal data will not be subject to automated decision-making, including profiling.
Smartwhip