TERMS&CONDITIONS

of

kolceochronne.pl webshop

§1

General Provisions

1. The webshop, hereinafter referred to as the Shop, conducts retail online sales governed by these Terms&Conditions.

2. The Shop is owned by: Senator Łódź - Jarosław Balcerek with its registered office at ul. Legionów 96, 90-736 Łódź, Tax Identification Number (NIP): 726-108-77-36, tel: 605202929 or 42 6330709, e-mail address: info@kolceochronne.pl

3. The Terms&Conditions are the integral part of the sales agreement concluded with the Customer.

4. The sales agreement can be concluded only after the acceptance of the Terms&Conditions by the Customer.

5. Prices given in the Shop are prices including VAT.

6. Goods available in the Shop are free from physical and legal defects.

§2

Orders

1. Orders may be placed as follows:

a) using the form available on the Shop's website,

b) by e-mail to the address presented on the Shop's website,

c) by telephone at the numbers intended for placing orders, available on the Shop's website on the Contact tab.

2. For the order to be executed, the Customer must provide data enabling verification of the Customer and the recipient of the goods. The Shop shall confirm the order acceptance by e-mail or telephone. The Shop shall confirm the order acceptance for execution after receiving prepayment.

3. The parties shall be bound by the information presented on the Shop’s website for the goods at the time of order, in particular: price, product characteristics, date and method of delivery.

4. The information on the Shop's website does not constitute an offer within the meaning of the Civil Code. By placing an order, the Customer makes an offer to purchase the specified goods.  The sales agreement is concluded when the Customer confirms the Order by accepting a pro forma invoice and confirming the prepayment.

§3

Payment

1. The Customer can choose a payment method as defined on the Payment Method tab.

2. Shipping prices are specified in the delivery price list.

3. The release of the goods is subject to the payment for the goods and shipping.

§4

Shipping

1. The ordered goods are shipped by a courier service within 3 working days of receipt of prepayment or are available for collection by the customer at the company's premises.

2. In the case of payment by payment card, the order processing time is counted from the moment of a successful authorisation of the transaction.

§5

Complaints

1. Complaints are accepted for consideration upon the Customer's presentation of a proof of the purchase of goods (cash register receipt or VAT invoice).

2. In the case of goods’ non-conformity with the agreement, the Customer should send the complained goods back to the Shop along with a description of the non-compliance.

3. The shop will respond to the Customer's complaint within 14 working days of returning the goods with a description of the non-conformity. If verification of the non-conformity requires an expert opinion, or a representative of the goods’ manufacturer, the time for the Shop to respond shall be extended by the time it takes the Shop to obtain such an opinion.

4. In case the resolution of a justified complaint involves sending a brand-new product the Customer or removing the non-conformity, the costs of shipment shall be borne by the Shop.

5. Individual settings of the Customer's computer and monitor causing wrong or distorted display of information about the goods (e.g. colours) cannot constitute grounds for complaint.

§6

Right to Withdrawal

1. Pursuant to the Act on the protection of certain consumer rights and liability for damage caused by a hazardous product of 2 March 2000, the Customer has the right to withdraw from the agreement.

2. The right to withdraw from the agreement is applicable only if the Customer submits to the Shop, within 14 days of receipt of the goods, a declaration of withdrawal from the agreement.

3. The Customer shall return the goods to the Shop within 14 days of making the declaration of withdrawal. Returned goods should be in an intact condition, including but not limited to: complete, in factory packaging, without any signs of use.  Shipping costs shall be borne by the Customer.

4. Within 3 working days of receiving the shipment, the Shop shall verify the condition of the returned product.

5. Within 7 days of inspecting the goods, the Shop shall refund to the Customer the amount paid, less the costs of order handling. The Customer should indicate the bank account number to which the refunded amount is to be transferred. In the case of payment by a payment card, the refund will be made to the card.

6. In the event of any violation by the Customer of the provisions set out in clauses  2 and 3 above, the declaration of withdrawal shall be ineffective, the goods are not subject to return, and the Shop will not refund the amount paid to the Customer.

7. The right of withdrawal shall not apply to the Customer in the cases specified in Article 10( 3) of the Act referred to in clause 1 above, i.e. with respect to:

a) the provision of services commenced, with the Customer's consent, before the end of the withdrawal period (applies to the provision of services and not to sales of goods),

b) audio and visual recordings and those stored on computer storage media once the Customer has removed their original packaging,

c) agreements related to services for which the price or remuneration depends exclusively on the price fluctuations on the financial market,

d) supplies of the characteristics specified by the Customer in their order or strictly associated with the Customer,

e) supplies which, due to their nature, cannot be returned or which are easily perishable goods,

f) the supply of newspapers,

g) gambling services.

§7

Intellectual Property

No materials published on the Shop's website (including photographs and descriptions of goods) may be used unless expressly permitted in writing by the Shop.

§8

Entry into Force and Amendments to the Terms&Conditions

1. Terms&Conditions shall come into force on the date of publication on the Shop's website.

2. The shop reserves the right to amend the Terms&Conditions, which come into force on their publication on the Shop's website. Agreements concluded before the amendments to the Terms&Conditions shall be governed by the Terms&Conditions valid on the date of placing an Order by the Customer.

 

 

PERSONAL DATA PROCESSING SAFETY POLICY

Personal Data Processing Safety Policy

in

Senator-Łódź Jarosław Balcerek

90-763 Łódź, ul. Legionów 96, 7261087736 Łódź, Tax Identification Number (NIP): 7261087736

CHAPTER I

General Provisions:

§ 1

  • The management of Senator-Łódź Jarosław Balcerek, aware of the importance of the issues related to the processing and protection of personal data, adopts the present document and declares to ensure compliance with it, in order to provide for the right to privacy, through the application of necessary and targeted measures to secure the correct management of the flow of legally protected information concerning natural persons, in Senator-Łódź Jarosław Balcerek.
  • The management declares to assure the protection of personal data at a level that corresponds to the nature of the information processed and secures it against any unlawful actions (information security).
  • The purpose of the personal data protection security policy is to adapt the technical and organisational protection measures at Senator-Łódź Jarosław Balcerek to the highest standards of information protection, which will enable proper information sharing within the organisation.
  • The management of the processing and protection of personal data in Senator-Łódź Jarosław Balcerek constitutes an organised and continuous process, composed of the following: identification and assessment of risks, establishment and improvement of safeguards, improvement of the staff's qualifications and implementation of the procedure and principles of responsibility for the Policy's violation incidents.

§ 2

  • This document contains a set of rules and practical guidance on how to properly manage, protect and distribute personal data, in particular:
    • security principles applicable to the processing of personal data;
    • organisational and technical measures to safeguard personal data against unlawful processing;
    • principles of personal data transfer between users and other authorised persons;
    • principles of responsibility of persons violating the Policy;
    • principles of reporting any non-compliance in the processing or protection of personal data to the data controller;
    • obligations of users to improve their qualifications in the field of personal data protection;
    • other information referred to in § 4 of the Regulation of the Minister of Internal Affairs and Administration of 29 April 2004 on the documentation of personal data processing and technical and organisational conditions which should be met by devices and IT systems used for the processing of personal data.
  • The principles established herein refer to the protection of personal data processed both in the IT systems and elsewhere.

§ 3

The obligation of compliance with the principles described in this document is imposed on:

  • all persons employed by Senator-Łódź Jarosław Balcerek also under a civil law contract;
  • interns, volunteers, trainees and other persons working for the Senator-Łódź Jarosław Balcerek in a similar capacity;
  • members of the bodies of Senator-Łódź Jarosław Balcerek;
  • other persons who participate in the processing of personal data at Senator-Łódź Jarosław Balcerek.

§ 4

  • Whenever reference is made in this document to:
    • act - it shall mean the Act of 29 August 1997 on the protection of personal data;
    • Policy - it shall mean this document;
    • Manual - shall mean the "IT System Management Manual" issued by the data controller;
    • data filing system - shall mean any structured set of personal data which are accessible under specified criteria, irrespective of whether the set is dispersed or functionally divided;
    • data processing - shall mean any operations which are performed on personal data, such as collection, recording, storage, processing, modification, disclosure and erasure, in particular those performed by means of IT systems;
    • IT system - shall mean a set of co-operating devices, software, information processing procedures and software tools used for the purpose of processing of personal data;
    • data controller - shall mean Senator-Łódź Jarosław Balcerek, 90-763 Łódź, ul.  Legionów 96;
    • information security administrator - shall mean the person appointed by the data controller to perform the function of information security administrator according to the rules determined by the Act;
    • user - shall mean the person authorised by the controller to process personal data;
    • user's ID - shall mean a sequence of letters, digits or other characters uniquely identifying the person authorized to process personal data in the IT system;
    • password - shall mean a sequence of letters, digits or other characters, known only to the person authorised to work in the IT system;
    • accountability - shall mean the feature ensuring that the activities of a entity can be unambiguously attributed only to that entity;
    • data integrity - shall mean the feature ensuring that personal data have not been altered or destroyed in an unauthorized manner;
    • erasure - shall mean the destruction of personal data or their modification in such a way that the identity of the data subject cannot be established;
    • data confidentiality - shall mean the feature ensuring that the data is not disclosed to any unauthorised parties;
    • authentication - shall mean a measure aimed at verifying the declared identity of an entity.
    • Terms not defined in the Policy shall have the meaning given under the Act and the implementing acts issued thereunder.

§ 5

Senator-Łódź Jarosław Balcerek 90-763 Łódź ul. Legionów 96 shall only process and collect personal data in the cases and for the purposes permitted by law, in particular, if:

  • the data subject gives their consent, except for the erasure of data relating to them;
  • it is necessary for the legitimate purposes of the data controller.

§ 6

The processing of personal data in Senator-Łódź Jarosław Balcerek 90-763 Łódź ul. Legionów 96 is allowed only if compliant with the provisions of the Act, implementing acts issued on the basis of the Act and regulations issued by the controller - in particular the Policy and the Manual.

 

CHAPTER II

Personal Data Protection System

§ 7

  • The Data Controller shall be obliged to apply technical and organisational measures to ensure a increased/high level of the processed data protection - in particular to protect the data against disclosure to unauthorised persons, takeover by an unauthorised person, processing with the violation of the Act, and alteration, loss, damage or destruction.

 

 

 

§ 8

  • The Data Controller may appoint an Information Security Administrator.
  • The tasks of the Information Security Administrator include:
    • ensuring compliance with the provisions on personal data protection

verifying the compliance of personal data processing with personal data protection regulations and preparing a report to the controller in this regard;

supervising the updating of the Policy and the Manual and compliance with the principles set out therein;

b) ensuring that users are aware of the personal data protection legislation;

keeping the register of data filing systems processed by the Data Controller, except for the systems referred to in Article  43( 1) of the Act, which shall contain the name of the system and the information referred to in Article 41( 1) item 2-4a and 7 of the Act.

  • The Data Controller may assign the Information Security Administrator with the performance of other duties, if this shall not affect the proper performance of the tasks referred to in clause 2.
  • The Appointment of the Information Security Administrator template, together with the additional duties referred to in clause 3, constitutes an appendix to the Policy.
  • The Data Controller may appoint additional positions related to personal data protection, in particular the IT Systems Administrator. When appointing persons to the positions referred to in the preceding sentence, the data controller shall define the scope of their duties and authorisations regarding users.

§ 9

  • The Data Controller may entrust the processing of personal data to another subject only under a written agreement which shall determine the scope and purpose of the data processing.
  • The agreement referred to in the preceding clause shall contain the assurance of the entity entrusted with the processing of personal data that prior to the commencement of such processing it will undertake the measures to secure the data filing system referred to in Article 36-39 of the Act and that it will meet the requirements specified in Article 39a of the Act.

§ 10

  • Only persons holding a written authorisation granted by the Data Controller (users), which specifies the scope and purpose of data processing, shall be allowed to carry out the data processing. The authorisation shall be issued for a definite or indefinite period of time. Template of the authorisation constitutes an appendix to the Policy.
  • The Data Controller shall keep the Register of persons authorised to process personal data, in which the name and surname of the authorised person, user ID, date of granting and termination as well as the scope of authorisation to process personal data shall be indicated. The template of the register constitutes an appendix to the Policy.
  • Users are obliged to keep the confidentiality of the personal data processed and the applied security methods. In order to ensure this commitment, the potential user shall sign a Declaration of Confidentiality upon the receipt of consent to data processing.
  • The Data Controller shall refrain from granting an authorisation to process data if the potential user has refused to sign the Declaration of Confidentiality.
  • The Data Controller is entitled to revoke the granted authorisation at any time, which shall be recorded in the records referred to in clause 2.
  • The Data Controller shall ensure that no unauthorised persons gain access to personal data processed in the organisation, in particular it shall prevent the processing of personal data by entities which have not been granted the authorisation, whose authorisation has expired or has been withdrawn.
  • In order to comply with the obligation referred to in clause 6, the Data Controller shall:
    • provides IDs and passwords enabling to use the IT system only to persons who hold a written authorisation to process personal data;
    • provides access to keys to buildings, rooms, cabinets, safes, etc., in which personal data media are stored, only to persons how hold a written authorisation to process personal data;
    • immediately after the expiration or withdrawal of the user's authorization to process personal data, the data controller shall remove the user's ID from the IT system and retrieve their keys to the facilities referred to in item b;
    • take other necessary and targeted measures, in particular, it may use CCTV, implement a key handover register, keep personal data storage media in a steel locker or lockable cabinets.

 

§ 11

  • Users are entitled to collect personal data only to the extent adequate to the activity performed, the type and value of the transaction, the legitimate interest or the purpose of the data processing.
  • When collecting data, the User is obliged to fulfil the information obligations referred to in Article 24 and 25 of the Act, in particular to inform the person from whom the data are collected about the purpose of this action.
  • Personal data may be collected from reliable sources only.
  • The User shall, as soon as they become aware of the need to update personal data, perform such an update or inform the controller of the need to update the data, if they are not entitled to do it themselves.

§ 12

  • The User shall, immediately after the collection of personal data, enter them into a relevant data filing system, noting in the records or system referred to in clause 3 the purpose of their processing. If personal data are not entered into the data filing system, the purpose of their collection shall be noted next to the data.
  • The User shall not process the data for purposes other than those for which they were collected and recorded in the manner specified in clause1.
  • The Data Controller shall control over what kind of personal data, when and by whom the data were entered into the data filing system and to whom they are transmitted, by applying the following measures:
    • in case of the processing of personal data other than in the IT system - a written/electronic register shall be kept in which each user, immediately after the personal data have been entered into the data filing system or transferred, shall include information about that fact together with their name and surname, the date of those operations and the extent of the personal data entered or transferred; in case of transfer of personal data the user shall also include information to whom the data have been transferred;
    • in case of the processing of personal data in the IT system - the system shall ensure the recording of:
      • date of the first data input into the system - automatically after the user confirms the data input operation;
      • ID of the user entering the personal data into the system, unless only one person has access to the IT system and the data processed therein - automatically after the user confirms the data entry operation;
      • sources of data in case the data are not collected directly from the data subject; however, if the personal data have been collected directly from the data subject, the system shall enable recording this circumstance, unless all the personal data processed in the given data filing system have been collected directly;
      • information on data recipients (Article  7 item 6 of the Act) and other persons to whom the personal data have been disclosed, the date and the extent of such disclosure, unless the IT system is used to process the data contained in public filing systems;
      • the objection referred to in Article 32( 1) item 8.
  • The provisions of clause 3b do not have to be complied with when the IT system is used only to process data by means of editing the text in order to make the data available in writing.

§ 13

Personal data shall be retained for no longer than it is necessary to achieve the purposes of the processing, as defined and recorded in accordance with § 11. If the purposes of the processing have been achieved, the user shall promptly delete the data from all data filing systems and other places where personal data are stored.

§ 14

The procedures of performing and recording the repair, inspection and maintenance of the IT systems and data processing media shall be determined by the Manual.

§ 15

  • The Users, in case of any identified breach of the personal data protection system, in particular of the Policy, shall be obliged to immediately notify the data controller thereof and to take necessary actions to mitigate the effects of the breach and restore the state of compliance, in particular:
    • determine the cause and scope of the breach and the person responsible for its occurrence;
    • secure the location where the breach occurred;
    • consider ceasing the processing of personal data, including in the IT system, until the relevant circumstances of the breach have been established;
    • refrain from any activities that may impede the analysis of the incident.
  • A breach of the data protection system should be defined as, in particular:
    • failure of any component of the IT system;
    • alert on infection of any IT system element from the anti-virus system;
    • occurrence of an emergency state for the premises where personal data are processed, e.g. fire, flooding, collapse;
    • presence of unauthorised persons on the premises where personal data are processed, where the behaviour of such persons indicates an attempt to gain unauthorised access to personal data;
    • loss of backups;
    • unauthorised login into the IT system;
    • destruction or damage of any component of the IT system.
  • Each notification of a breach of the data protection system shall be recorded by the Data Controller in the Breach Register, which constitutes an appendix to the Policy. The notification shall include a brief description, the cause and extent of the breach and a procedure to be followed in case similar incidents occur in the future.

§ 16

  • The Data Controller shall arrive at the place of the breach in order to review the circumstances of the breach and decide on the further course of action, in particular to assess the advisability of calling in IT system specialists.
  • If the processing of personal data has been discontinued, its resumption shall be decided by the Data Controller, unless special circumstances require the immediate resumption of processing.
  • The user who reported the breach shall be obliged to report the relevant circumstances of the breach to the Data Controller. The Data Controller may also request explanations from other persons who may have knowledge of the incident.

§ 17

  • The Data Controller shall develop and implement measures to restore the security of the personal data protection system and protect the system against the occurrence of similar incidents in the future, in particular provide the necessary instructions to users.
  • The Data Controller may issue periodic reports on the incurred breaches and measures to remedy them.  All users are obliged to read the reports.

 

 

§ 18

  • The Users are not permitted to:
    • process personal data to an extent and for a purpose that is not compliant with the authorisation or the law;
    • make personal data available to any person not authorised to process them;
    • take equipment on which personal data is stored outside the personal data processing area;
    • act, when processing personal data, contrary to the legislation, the Policy and the Manual.
  • Failure to comply with the prohibitions and failure to comply with the obligations relating to the processing of personal data within the organisation is subject to the disciplinary sanctions set out in the Policy.

§ 19

  • in the organisation, personal data shall be processed in buildings, premises or parts of premises, which constitute the personal data processing area, as specified in Appendix 5 to the Policy.
  • The Users are not allowed to process data outside the data processing area specified in clause 1, in particular, they may not carry data carriers out of it, except as specified in the Policy and the Manual in relation to the repair and maintenance of data carriers.

§ 20

  • The list of personal data filing systems including the indication of software and hardware used for their processing constitutes Appendix No. 6 to the Policy.
  • Any changes in personal data filing systems, software and hardware used for their processing shall require immediate modification of the list referred to in clause 1 by the data controller.
  • The Users are not allowed to use the IT system in a way that violates the relations resulting from the list referred to in clause 1.

 § 21

In the data filing systems in the organisation, personal data are processed within the scope specified by indicating the information fields and relations between them in Appendix No. 7 to the Policy.

§ 22

  • The way of data flow between particular systems in the organisation is specified in Appendix No. 8 to the Policy.
  • In relation to the manner of functioning and interrelations between information systems, the level of security measures referred to in § 7 clause1 shall be applied.

§ 22

In order to ensure the confidentiality, integrity and accountability of the data processed, in addition to other measures indicated in the Policy, the following organisational and technical security measures shall be applied:

  • Lockable office
  • Password protected computer
  • User has login and password to the system
  • Change of password every 30 days
  • Logging out of the system at the end of work

 

 

CHAPTER III

Sanctions

§ 23

The Users shall be subject to the following sanctions for violating the prohibitions or failing to comply with obligations in relation to the processing of personal data:

 

  • Termination of the employment contract (warning, reprimand)
  • Penalty deduction from salary

  

CHAPTER IV

Qualifications Upgrade

§ 24

  • The Data Controller provides users with access to data protection trainings.
  • The User shall be obliged to undergo a training course at least every 12 months in order to upgrade their qualifications in the field of personal data protection.
  • In the event of a significant change in the data protection law, the Data Controller shall immediately provide the User with access to the current data protection legislation and publications. Whenever possible, the Data Controller shall organise or provide training for the Users in order to update their knowledge in the field of personal data protection.

§ 25

Before granting authorisation to a potential user for personal data processing, the Data Controller shall ensure access to educational material on personal data protection and, where possible, provide training to the potential user in this regard.  In order to verify the knowledge of the potential user, the data controller may conduct a competency test.

 

CHAPTER V

Final Provisions

§ 26

  • The Policy shall enter into force as of the date of its publication and its content shall be freely available for review at the Data Controller.
  • The User is obliged to submit a declaration that they have read the Act, implementing acts issued thereunder, the applicable Policy and the Manual. A template of the declaration constitutes an Appendix to the Policy.
  • All documents, including appendices to the Policy, related to personal data protection in the organisation shall be kept by the Data Controller.  Declarations, authorisations and other documents relating directly to a given user are also kept in the user's personal file.