General provisions.
1. This document sets the rules for the protection of privacy, including the collection of cookies and the processing of personal data, applicable to websites managed by OTCF S.A., particularly including online stores operated by OTCF S.A.
2. Except as otherwise provided herein, the definitions and wording used in this Privacy Policy shall retain the meaning indicated in the Terms and Conditions of the 247sport Online Store.
I. Personal data protection
1. Subject to the provisions of Section II, the Data Controller (within the meaning of Article 4(7) of the GDPR) of the Users using the Store’s functionality is the Seller, i.e. OTCF S.A.
2. The Seller has appointed a Data Protection Supervisor (DPS) who may be contacted in matters concerning personal data protection and the exercise of the rights related thereto. To that end, the User may contact the Data Protection Supervisor by means of electronic mail at [email protected] or by means of traditional mail at OTCF S.A., ul. Saska 25C, 30-720 Kraków(annotated with “Data Protection Supervisor (DPS)”).
3. Users’ personal data may be processed for the following purposes and based on the following legal grounds:
1. accepting orders and performing contracts of sale (legal grounds for data processing: Article 6(1)(b) of the GDPR)
2. ongoing communication in matters related to the orders placed, inclusive of the confirmation of the same and information on the status thereof (data processing legal grounds: Art. 6(1)(b) of the GDPR);
3. enabling registration and operation of a User Account created in the Store (in the event of the User creating the same) and providing other functionalities through the Store, specified in Section IV of the Terms and Conditions of the 247 Online Store. within the framework of the contract for the provision of services by electronic means concluded with the User (legal grounds for data processing: Article 6(1)(b) of the GDPR),
4. enabling the User to register and log in to their User Account using their Facebook account involving User authentication on their account registered in the Store through verification of their data against the data assigned to their Facebook account (in such case Facebook, in accordance with their user authentication tools, will provide the Seller with data comprising: first name, last name, email address, and profile picture), exclusively where the User selected this form of logging, with such processing being within legitimate interests of the Seller (Article 6(1)(f) of the GDPR),
5. enabling the use of the functionality of other forms referred to in Section IVb of the Terms and Conditions of the 247sport Online Store. within the framework of the contract for the provision of services by electronic means concluded with the User (legal grounds for data processing: Article 6(1)(b) of the GDPR) in accordance with these Terms and Conditions of the 247sport Online Store., as well as on the basis of specific regulations determining the rules of using specific forms, provided that they are applicable in specific cases in accordance with the decision made by the Seller (in this case, these regulations may determine additional purposes and legal grounds for the processing of personal data),
6. examining complaints related to the concluded contracts of sale (Article 6(1)(b) of the GDPR),
8. accepting notifications and queries directed to the Seller other than complaints and matters related to the contracts performed (e.g. via contact details indicated on the Store website or available electronic forms), which constitutes the Seller’s legitimate interest (legal grounds for data processing: Article 6(1)(f) of the GDPR),
9. accepting declarations of withdrawal from distance contracts of sale pursuant to the provisions of the Terms and Conditions of the 247sport Online Store. and the provisions of Section 4 of the Act dated 30 May 2014 on consumer rights, which is the Seller’s legitimate interest (legal grounds for data processing: Article 6(1)(f) of the GDPR),
10. processing and bringing claims, defending against claims, exercising extrajudicial methods for handling complaints and bringing claims, which is the Seller’s legitimate interest (data processing legal grounds: Article 6(1)(f) of the GDPR),
11. facilitating obtainment of credit services and enabling electronic payments, which is the Seller’s legitimate interest (data processing legal grounds: Article 6(1)(f) of the GDPR),
12. monitoring the manner wherein Users use the services provided within the framework of the Store with respect to compliance with the provisions of the Terms and Conditions of the 247sport Online Store, and with a view to developing functionalities of the Store and improving the operation of the services provided through it, which is the Seller’s legitimate interest (legal grounds for data processing: Article 6(1)(f) of the GDPR),
13. for direct marketing, including profiling, by selecting and displaying the goods available in the Store, taking into account the activity and preferences of specific Users, as well as by creating tailored groups of ad recipients taking into account their preferences, which is a legitimate interest of the Seller (legal grounds for processing: Article 6(1)(f) of the GDPR),
14. conducting statistical analyses, which is the Seller’s legitimate interest (data processing legal grounds: Article 6(1)(f) of the GDPR),
15. implementing legal requirements in the field of tax and accounting regulations, in particular those specified in the provisions of the Act dated 11 March 2004 on the tax on goods and services (VAT), of the Act dated 15 February 1992 on income tax from legal persons, and of the Act dated 29 September 1994 on accounting (data processing legal grounds: Article 6(1)(c) of the GDPR),
16. storing data for archiving purposes and to demonstrate correct fulfillment of legal obligations imposed on the Seller, which is the Seller’s legitimate interest (data processing legal grounds: Article 6(1)(f) of the GDPR),
17. sending commercial information by electronic means, in the form of the Newsletter, if the User has expressed a separate consent to receiving commercial information by electronic means,
18. sending commercial information by electronic means in the form of PUSH messages – if a specific person has given separate consent to receive this type of information,
19. sending (sharing) the User’s data to external entities cooperating with the Seller in order to direct online advertisements to Users, conducting analytical research, improving the display of advertisements, personalizing them, adjusting the content and improving solutions and services provided by entities cooperating with the Seller, including entities running social media portals – if a specific person has given separate consent to this type of transfer and further use of data by the Seller and its cooperating entities (more on this subject in Section II);
20. conducting User satisfaction surveys – if the User has expressed a separate consent to participate in such a survey (legal grounds for data processing: Article 6(1)(a) of the GDPR);
21. saving data in the form of cookies, collecting data from the Store’s website and the Store’s mobile version (as long as this information constitutes personal data) – if a specific person has given separate consent to it on the terms set out in the Cookies Policy applicable on the Store’s website (see Section III).
4. Users’ personal data may be disclosed to the following categories of recipients:
1. subcontractors providing technical support to the Seller in running and maintaining, as well as developing the Store, such as: entities providing hosting services, suppliers of Store management software, entities providing technical support for the Store’s software, suppliers providing software for sending commercial correspondence by electronic means, including PUSH messages, suppliers providing services for the Customer Service Center, suppliers providing software for communicating with Users, including communication carried out using dedicated algorithms (e.g. Chatbot), suppliers providing cybersecurity tools, suppliers providing solutions for integrated electronic payment platforms with which the Seller has concluded the legally required contracts for entrusting the processing of personal data;
2. entities supporting the Seller in conducting marketing (in particular on the Internet) and sales activities, including measuring the effectiveness of advertising campaigns on the Internet, matching advertisements to Users’ preferences, conducting behavioral (personalized) advertisements, such as marketing agencies, entities providing services in as part of remarketing, entities operating Internet portals, including social media portals and Google;
3. entities supporting the Seller in the implementation of programs of User satisfaction surveys, in particular through surveys conducted electronically or by telephone; entities supporting the Seller in the implementation of applicable laws, rights and obligations arising from the Terms and Conditions of the 247sport Online Store, in connection with the provision of services through the Store, such as law firms and debt collection agencies;
4. entities requiring data provision to ensure proper service provision through the Shop, as requested by a particular User – electronic payment service providers (if this option of payment is selected), credit (installment buying) service providers, entities delivering goods to the address specified (postal, transport, or courier services, shipping companies) or entrepreneurs running stationary stores and points of sale under the Seller’s brands, as well as entrepreneurs running stationary stores and points of sale under the brands in relation to which the Seller acts as a distributor; as well as entities running – under the “247sport” brand – pick-up points or points of sale of the “247sport” brand products, to which data are made available as separate controllers or with whom the Seller has entered into legally required data processing outsourcing agreements (depending on the status of these entities held in relation to the personal data provided).
5. Users’ personal data may be transferred by the Seller outside the European Economic Area (EEA) as part of using subcontractors’ services by the Seller (out of the categories of recipients referred to in item 4 hereinabove). In such case, the Seller shall ensure legally required personal data protection measures, namely (depending on the case): i) provision to a subcontractors located in a third country in respect whereof a decision has been made, finding an adequate level of protection in accordance with the requirements of Article 45 of the GDPR; ii) data are provided on the basis of a data transfer agreement with a subcontractor that has been based on the Standard Contractual Clauses adopted by a decision by the European Commission; iii) data are provided within the framework of binding corporate rules applied by the subcontractor and referred to in Article 47 of the GDPR. For more information on the Seller’s security measures associated with the transmission of data outside the EEA can be obtained by contacting the Data Protection Supervisor appointed by the Seller.
6. Except as provided above, Users’ personal data may be transferred outside the EEA only in those cases where a specific User places an order from a country located outside the EEA and expects the ordered goods to be delivered to that country. In this case, the Seller will transfer the User’s personal data outside the EEA only for the purpose of proper implementation of the order placed, to the address indicated in the order, as requested by the User.
7. Personal data obtained shall be stored by the Seller throughout the period of performance of the Contracts of Sale concluded, until they are correctly settled, and throughout the period of provision of the services by the Shop (to the Users) for the period of agreements on the provision of services by electronic means; moreover:
1. until the potential claims under the agreements specified hereinabove are barred,
2. for the time required by the Seller to vindicate or defend specific claims (if brought by the User in connection with the concluded agreements specified hereinabove),
3. for the time of fulfillment of the obligations under the law, tax and accounting regulations in particular, for instance obligations related to the storage of documentation pursuant to the requirements of Article 74 of the Accounting Act of 29 September 1994,
4. for the period required by the Seller to demonstrate before public administration bodies, including personal data protection supervision bodies, proper fulfillment of the legal obligations imposed thereon;
5. for archiving purposes when it concerns the history of the correspondence and replies to the questions asked (not directly related to the concluded agreements) – for a period which shall be no longer than 3 years from obtaining the data
6. for direct marketing purposes – for the period of agreements on the provision of services by electronic means (Users) and for the period of performance of contracts of sale, or until data processing for this purpose is objected;
7. until the consent to data processing is withdrawn, or data become obsolete (found so by the Seller) if data are processed pursuant to the consent given by a specific individual.
8. The Seller shall provide each User with the right to exercise all of their rights under the GDPR, i.e. the right to request access to the personal data thereof, the right to rectify, delete or demand restriction of processing thereof, the right to data transfer, and the right to object to the processing thereof, on the terms and in the cases provided for in the provisions of the GDPR.
9. In the case of the Seller processing personal data to realise a legitimate interests thereof (specified hereinabove), each User shall have the right object to data processing for reasons relating to a specific situation thereof.
10. Data processed to realise a legitimate interest consisting in the Seller carrying out direct marketing shall be processed solely until objection to this form of processing. The User shall have the right to object to the processing of the personal data thereof for direct marketing purposes, including profiling, at any time.
11. In the event of the Seller processing personal data pursuant to a consent given by the User, any individual shall have the right to withdraw the consent to the processing of the personal data thereof at any time, which shall not affect legality thereof preceding the withdrawal.
12. Provision of personal data with respect to:
1. Users who wish to create a User Account in the Store – to register and create a User Account, it shall be required to provide data within the scope specified in the registration form, i.e. name, surname, address, e-mail address. A failure to provide the same shall prevent creation of a User Account (and, consequently, conclusion of an agreement on the provision of services by electronic means), but the Client shall still be able to place orders through the Store within the option without registering a User Account;
2. Users placing orders through the Store – to place and enable the Seller to fulfill the same (and, consequently, to conclude a contract of sale), it shall be required to provide the following data: first name, last name, address of residence (or another address for delivery), e-mail address, telephone number. A failure to provide the same shall result in the inability to accept the order (and, consequently, to conclude a contract of sale);
3. Users submitting a declaration of withdrawal from a contract of sale – to submit a declaration of withdrawal from a distance contract of sale, it shall be required to provide the following data: first name, last name, e-mail address, address of residence (street, house / apartment number, postal code, town / city (post office)), telephone number, order number, bank account number. A failure to provide the same shall prevent effective submission of the declaration of withdrawal from the contract of sale, and a failure to specify the bank account number may prevent the refund,
4. Users making complaints with respect to the contract of sale concluded – to make the same and enable the Seller to examine it, it shall be required to provide the following data: first name, last name, e-mail address, bank account number, address (street, house / apartment number, postal code, town / city (post office)), telephone number, form of compensation, order number, and information what goods specifically are complained about, and for what reason. A failure to provide the same shall prevent the Seller from examining the complaint,
5. Users making complaints with respect to the agreement on the provision of services by electronic means, concluded with the Seller pursuant to the rules specified in the Terms and Conditions of the 247sport Online Store – to make the same and enable the Seller to examine it, it shall be required to provide the e-mail address provided by the User during the User Account registration at the Store or during registration of the subscription to the Newsletter (if the complaint is related to the said service). A failure to provide the same may prevent the Seller from examining the complaint,
6. in other cases, provision of data shall be voluntary.
13. The Seller shall not conduct User data processing operations in an automated manner resulting in decisions having legal effects thereon or similarly and significantly affecting the situation thereof. Possible automated data processing, including profiling, shall be used solely to analyse and forecast individual preferences of Users using the Shop.
14. Any individual whereof personal data are processed by the Seller shall have the right to file a data processing related complaint with the supervisory body, i.e. the Head of the Office For Personal Data Protection having its registered address at ul. Stawki 2, 00-193 Warsaw.
II. Additional provisions related to the protection of personal data
A. – transfer of Users’ data to social media platforms managed by Meta Platforms Ireland Ltd.
1. The Seller informs that in agreement with Meta Platforms Ireland Ltd, with its registered office at 4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland (hereinafter “Meta Platforms”), it uses solutions consisting in targeting via social networks managed by Meta Platforms (in particular, such as: Facebook or Instagram) online advertising to Users, conducting analytical research, improving the display of advertisements, their personalization, content matching and improvement of solutions and services provided by Meta Platforms. For this purpose, the Seller may collect and disclose Users’ personal data to Meta Platforms as a joint data controller.
2. The User acknowledges that in the event of consent to the transfer of data to Meta Platforms, the Seller and Meta Platforms will jointly process their personal data. The joint processing of data includes the collection of such personal data via the business tools of social networks managed by Meta Platforms and their subsequent transfer to Meta Platforms for the purpose of using them for the purposes indicated in Section I.
3. Any disclosure of Users’ personal data for the purposes set out in Section I will only take place with the express consent of the specific User (Article 6 (1) (a) of the GDPR). The consent is expressed through a dedicated tool, available from the level of the User’s web browser, which is also used to express consent by the User to saving cookies on his end device (a tool called Cookiebot).
4. The scope of personal data that will be transferred by the Seller to Meta Platforms with the consent expressed by the User includes: e-mail address, telephone number, gender, date of birth, name and surname, city, postal code, country, IP address, web browser ID, individual User ID, User login used in social networks managed by Meta Platforms.
5. Due to the joint activities regarding the processing of personal data, the Seller and Meta Platforms are bound by an agreement on co-controlling of data, the content of which can be found at: https://www.facebook.com/legal/controller_addendum. This document specifies, among other things, the division of obligations between the Seller and Meta Platforms in terms of ensuring compliance with the obligations arising from the GDPR in relation to the joint processing of personal data.
6. Information on the rules for the processing of personal data by Meta Platforms, including information on the legal grounds for the processing of personal data and possible ways of exercising Users’ rights in connection with the processing of their personal data by Meta Platforms, can be found at https://www.facebook.com/about/privacy (applies to Facebook) and https://privacycenter.instagram.com/policy (applies to Instagram).
7. The User may withdraw the previously granted consent to the transfer of personal data by the Seller to Meta Platforms at any time and without giving reasons, using the dedicated tool referred to in item 3.
8. In the scope of processing their personal data by the Seller, the Users have all the rights referred to in items 8-11 of Section I of this Privacy Policy.
9. To the extent that personal data has been provided by the Seller to Meta Platforms, Users may exercise their rights under Art. 15-21 GDPR directly from Meta Platforms (for this purpose, see the information available at https://www.facebook.com/about/privacy (applies to Facebook) or https://privacycenter.instagram.com/policy (applies to Instagram), as well as submit such a request to the Seller (in this case, the Seller shall submit a relevant request to Meta Platforms for its execution).
III. Cookies policy
1. This cookie policy defines the rules for the use of small files, referred to as “cookies”, used by websites managed by OTCF S.A.
2. Cookies are small text files saved and stored on devices through which the User uses websites. Cookies usually contain the name of the domain they come from, the storage time on the User’s end device and an individual, randomly selected number identifying the file. The main purpose of cookies is to make it easier for the User to use websites and to make them more user-friendly, without causing any damage to the User’s computer or other end device.
3. Cookies are safe for the website User’s computers. In particular, they do not allow penetrating the Users’ computers with viruses or other unwanted software or malware.
4. Information collected using this type of file is stored for the purpose of maintaining the User’s session within the website; they may improve the website by making estimates regarding website usage statistics, and help to adjust the services offered by OTCF S.A. products tailored to the individual preferences and actual needs of Users, speed up the search process, and may also allow the display of advertisements, both from websites managed by OTCF S.A. and from third party websites or otherwise, based on the analysis of the User’s browsing habits.
5. Basically, two types of this sort of files can be saved on the User’s device: own (cookies created by the website that the User enters – these cookies primarily allow the proper functioning of the website, including displaying its individual elements – their deactivation may limit or completely prevent the display of the website content) and external (cookies created by external websites, are installed on the User’s device and remain there until they are deleted or expired).
6. Due to the purpose for which cookies are used, websites managed by OTCF S.A. may allow the following types of cookies to be saved on the User’s device:
- Essential
- Preferences
- Statistics
- Marketing
7. A detailed description of individual groups of cookies and of the cookies themselves can be found in a dedicated tool provided by OTCF S.A. to manage the User’s preferences regarding the storage of cookies on his device (a tool called Cookiebot).
8. The tool referred to in item 7 is available on the website and allows the User to consent to the saving of cookies belonging to the following groups: “Preferences”, “Statistics” and “Marketing”. Without the express consent of the User, cookies of this type will not be saved on their device. The User may freely change their preferences regarding the consent to the saving of individual groups of cookies indicated in this item.
9. Cookies belonging to the “Essential” group are required for the proper functioning of the website; therefore the user cannot disable their saving from the level of the cookie preferences management tool. Disabling of saving this type of cookies is possible only from the level of the web browser used by the User (see Section 10 below), but in this case selected elements of the website or the entire website will not work properly.
10. Regardless of the cookie preferences management tool provided by OTCF S.A., the User may independently and at any time change the cookie settings, specifying the conditions for their storage and access to the User’s device directly through the web browser settings. In particular, these settings can be changed in such a way as to block the automatic handling of cookies in the User’s web browser configuration or to inform you whenever cookies are saved on the User’s device. Detailed information on the possibilities and ways of handling cookies is available in the software settings (web browser).
Below we present how the User can change the settings of how web browsers use cookies:
11. The User may remove cookies at any time using the features available in their web browser.
12. Websites managed by OTCF S.A. contain links to other websites (managed by other entities). OTCF is not responsible for the privacy protection rules applicable at these websites.