Online Store
JBB
Online Store
JBB

Privacy policy

PRIVACY POLICY OF JBB BAŁDYGA JÓZEF BAŁDYGA

In accordance with the obligation set forth in Articles 13 and 14, paragraphs 1 and 2 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L 119, p. 1), hereinafter referred to as the “GDPR,” we present the principles regarding the processing of personal data by JBB Bałdyga Józef Bałdyga (hereinafter: JBB or Administrator).

§ 1. Data Controller

  1. The data controller of our clients, contractors, and collaborators is Józef Bałdyga, conducting business under the name JBB Bałdyga Józef Bałdyga, with its registered office in Łyse, ul. Kościelna 25, registered in the Central Register and Information on Economic Activity, with Tax Identification Number (NIP) 758-000-32-07 and REGON 550329547.
  2. For matters related to the processing of personal data, clients may contact us at: JBB Bałdyga Józef Bałdyga, ul. Kościelna 25, 07-437 Łyse, or via email at: [iod@jbb.pl].
  3. The Administrator processes personal data of:
    • natural persons,
    • natural persons conducting business or professional activity in their own name, as well as natural persons engaged in business activities covered by consumer protection,
    • natural persons representing legal entities or organizational units that are not legal entities but are granted legal capacity by law, conducting business or professional activities in their own name.

    The categories of data subjects listed above will hereinafter be referred to as: Clients or Users.

 

§ 2. Purpose, Legal Basis, and Retention Period of Personal Data Processing

Purpose of Data Processing Legal Basis for Processing Data Retention Period
Conclusion and performance of contracts (particularly service, sales, and delivery contracts) with clients/contractors (who are natural persons) Article 6(1)(b) GDPR – sales or delivery contract between the client and the Administrator

Article 6(1)(c) GDPR – provisions of the Civil Code governing the conclusion and performance of a sales/delivery contract, provisions of the Accounting Act (regarding settlements)

 For the duration of the contract and after its termination until the expiration of claims limitation periods. The limitation period is determined by the provisions of the Civil Code and the Accounting Act.

If the limitation periods for potential claims are shorter than the limitation period required by tax regulations, the documents will be retained for the time necessary for tax and accounting purposes, i.e., for 5 years from the end of the year in which the tax obligation arose, depending on which period expires later.
Processing of data of employees or collaborators of clients/contractors

Purpose: Proper execution of contracts (in the case of contractors who are legal entities or entrepreneurs), ensuring contact with contractors

 Article 6(1)(f) GDPR – legitimate interest of the Administrator, which is to properly execute the contract and maintain contact with the contractor For the duration of the contract and after its termination until the expiration of claims limitation periods, generally 3 years, maximum 6 years. The limitation period is determined by the Civil Code.
Handling complaints filed by clients (warranty and guarantee claims) Article 6(1)(b) GDPR – sales or delivery contract between the client and JBB

Article 6(1)(c) GDPR – in connection with applicable legal provisions, including Civil Code provisions regarding warranty

 Documentation related to complaint handling will be retained for one year after the expiry of the warranty or settlement of the complaint. Warranty or guarantee claim deadlines are specified in the Civil Code.
Conducting marketing activities for potential and current clients (without the use of electronic communication means) Article 6(1)(f) GDPR – the Administrator’s legitimate interest is manifested in the desire to conduct advertising campaigns targeting clients. Until the client objects to the processing of their data for marketing purposes.

The Administrator periodically evaluates the usefulness of data collected for marketing purposes and removes unnecessary data.
Conducting marketing activities for potential and current clients (using electronic communication means) Article 6(1)(a) GDPR – consent of the data subject

The legal basis for processing is also the consent of the data subject due to the provisions of the Telecommunications Law and the Act on the Provision of Electronic Services.

 Until consent is withdrawn or the Administrator is informed in any manner about the wish to cease contact and receiving information about the Administrator’s actions via email or phone.

The Administrator periodically evaluates the usefulness of data collected for marketing purposes and removes unnecessary data.
Subscription to the newsletter (execution of a contract for an electronic service) Article 6(1)(a) GDPR – voluntary consent of the data subject Personal data processed in connection with newsletter subscription will be stored until the subscriber withdraws consent, in the same manner in which it was granted.

The Administrator periodically evaluates the usefulness of collected data and removes unnecessary data.

§ 3. Types and Categories of Processed Personal Data

  1. The Administrator processes the following personal data:
      1. In connection with the conclusion and performance of contracts, the Administrator processes the following personal data of Clients/Users:
        • first and last name,
        • email address,
        • address,
        • phone number,
        • Tax Identification Number (NIP) (for entrepreneurs and legal entities),
        • company name (for entrepreneurs and legal entities),
        • PESEL (Personal Identification Number),
        • other required data.</
        • The Administrator stores data in a form that allows the identification of the data subject for no longer than necessary for the purposes for which the data is processed (principle of storage limitation and purpose limitation).
        • The Administrator processes data in a manner ensuring appropriate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage, using appropriate technical or organizational measures (principle of integrity and confidentiality).
        • The Administrator is responsible for compliance with all data processing principles listed in points a)-f) and is able to demonstrate compliance (principle of accountability).
      2. The Administrator implements appropriate technical and organizational measures to ensure the highest level of security for the personal data it processes.

       

      § 7. EXERCISING THE RIGHTS OF DATA SUBJECTS

      1. [Scope of Subject Rights] The Administrator ensures the rights of data subjects (Clients/Users) by implementing procedural guarantees for the protection of their rights and freedoms. According to Articles 12-23 of the GDPR, individuals whose data is processed by the Administrator have the right to:
        1. access their personal data and obtain a copy,
        2. rectify (correct) their personal data if it is incorrect,
        3. restrict the processing of personal data,
        4. erase personal data (the so-called “right to be forgotten”),
        5. lodge a complaint with the supervisory authority – the President of the Personal Data Protection Office (PUODO), ul. Stawki 2, 00-193 Warsaw (kancelaria@uodo.gov.pl) if they believe that the processing of personal data violates GDPR regulations,
        6. withdraw consent for the processing of personal data if consent was the legal basis for processing,
        7. object to the processing of data in cases specified in Articles 21-22 of the GDPR.
      2. [Right of Access] Under Article 15 of the GDPR, the User/Client has the right to obtain confirmation from the Administrator as to whether their personal data is being processed. If processing is occurring, they have the right to:
        1. access their personal data;
        2. obtain information about the purposes of processing, categories of processed personal data, recipients or categories of recipients of such data, the planned storage period or criteria for determining that period (when it is not possible to specify the planned processing period), the rights granted under the GDPR, the right to lodge a complaint with the supervisory authority, the source of the data, automated decision-making, including profiling, and the safeguards applied concerning the transfer of data outside the European Union;
        3. obtain a copy of their personal data.
      3. [Right to Obtain a Copy of Data] Upon request, the Administrator provides the data subject with a copy of their data and records the issuance of the first copy. The Administrator establishes and maintains a pricing policy for additional copies of data, determining fees based on estimated unit costs for processing such requests.
      4. [Right to Rectification] The Administrator corrects inaccurate data upon request of the data subject. The Administrator may refuse rectification unless the data subject demonstrates the inaccuracies in the data they request to be corrected.
      5. [Right to Erasure] The Administrator deletes data upon request of the data subject in the following cases:
        1. the data is no longer necessary for the purposes for which it was collected or processed,
        2. the data subject has withdrawn consent, and the Administrator has no other legal basis for processing,
        3. the data subject has effectively objected to the processing of their data,
        4. the personal data has been processed unlawfully,
        5. deletion of the data is required to comply with a legal obligation,
        6. the request concerns a child’s data collected based on consent for the provision of information society services directly to the child.
      6. The Administrator ensures the effective implementation of the right to erasure while respecting all data protection principles, including security. The Administrator has a process to verify whether any exceptions under Article 17(3) of the GDPR apply.
      7. If the Administrator has made the data public, reasonable measures, including technical means, will be taken to inform other administrators and processors that the data must be erased and access to it must be removed.
      8. The Administrator refuses to erase data where processing is necessary:
        1. for exercising the right to freedom of expression and information;
        2. to comply with a legal obligation under EU or member state law or to perform a task carried out in the public interest or in the exercise of official authority vested in the Administrator;
        3. for the establishment, exercise, or defense of legal claims.
      9. [Right to Restrict Processing] The Administrator restricts data processing upon the data subject’s request when:
        1. the accuracy of the personal data is contested by the data subject – for a period allowing the verification of its accuracy,
        2. the processing is unlawful, but the data subject opposes the erasure of the data and instead requests the restriction of its use,
        3. the Administrator no longer needs the personal data, but it is required by the data subject for the establishment, exercise, or defense of legal claims,
        4. the data subject has objected to the processing due to their particular situation – pending verification of whether the Administrator’s legitimate grounds override the grounds for objection.
      10. During the processing restriction, the Administrator stores the data but does not process it (use or transfer it) without the data subject’s consent, except for the establishment, exercise, or defense of legal claims or the protection of the rights of another individual or legal entity, or for significant public interest reasons.
      11. The Administrator notifies each recipient to whom the personal data has been disclosed about any rectification, erasure, or restriction of processing carried out under Articles 16, 17(1), and 18 of the GDPR, unless it proves impossible or requires disproportionate effort. The Administrator informs the data subject of these recipients upon request.
      12. [Right to Data Portability] Upon request, the Administrator provides data concerning the data subject, which the data subject has supplied to the Administrator and which is processed based on consent or contract performance, in a structured, commonly used, and machine-readable format or transfers it to another entity, where technically feasible.
      13. [Right to Object to Processing] The User has the right to object at any time – based on their specific situation – to the processing of their personal data, including profiling, if the Administrator processes their data based on legitimate interest, e.g., product and service marketing, or website usage statistics.
      14. Opting out of marketing communications via email will be considered an objection to the processing of the User’s personal data, including profiling, for such purposes.
      15. If the User’s objection is justified and the Administrator has no other legal basis for processing the personal data, the data subject’s personal data will be erased and no longer processed for that purpose.

       

      § 8. RIGHT TO WITHDRAW CONSENT FOR DATA PROCESSING RELATED TO DIRECT MARKETING AND PROFILING

      1. For data processed based on consent, the data subject has the right to withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal (particularly regarding direct marketing, newsletters, commercial information, and profiling).
    2. In the remaining scope (in particular, for the purpose of processing data for marketing purposes, sending newsletters, and contact via the contact form), providing data is voluntary.

    § 10. PROFILING

    1. JBB conducts profiling within the meaning of Article 4 of the GDPR, i.e., it applies a form of automated processing of customers’ personal data, using this data to assess certain personal factors of a natural person interested in JBB products. In this way, JBB makes decisions in an automated manner based on the personal data it has obtained. JBB stores information about customers’ purchases to suggest additional products tailored to the customer’s preferences, expectations, and needs.
    2. In connection with profiling, the Data Controller has implemented appropriate measures to protect the rights, freedoms, and legitimate interests of the data subject.
    3. Decisions regarding the presentation of a specific commercial offer by JBB are based on an assessment of certain customer information, including transaction history, website visit history, location data, and user behavioral data.
    4. Profiling is conducted for the Data Controller’s marketing (advertising) purposes (legitimate interest of the Data Controller).
    5. The customer has the right to object to the processing of personal data related to profiling for marketing purposes at any time. The objection should be submitted in writing to the correspondence address indicated in § 1 or via email at: [iod@jbb.pl].

    § 11. TRANSFER OF PERSONAL DATA OUTSIDE THE EEA

    1. Personal data may be transferred outside the European Economic Area (EEA) in connection with the services provided, sales conducted, or goods delivered by the Data Controller. Some third countries are certified by the European Commission as having data protection levels comparable to the EEA standard through so-called adequacy decisions. However, for other third countries to which personal data may be transferred, the level of data protection may not be equally high due to the lack of legal regulations. In such cases, JBB ensures that data protection is adequately guaranteed. This is achieved through binding corporate rules, standard contractual clauses issued by the European Commission, certifications, or recognized codes of conduct.
    2. The transfer of personal data outside the EEA is based on Article 49(1)(b) of the GDPR, which allows for the transfer of personal data if necessary for the performance of a contract between the data subject and the Data Controller, or on Article 49(1)(c) of the GDPR, which allows for data transfer if it is necessary for the performance of a contract concluded in the interest of the data subject.
    3. The Data Controller implements necessary technical and organizational measures to ensure the security of customers’ personal data. This includes ensuring that personal data is processed only by authorized individuals and is stored on media and in locations that guarantee its security.

    § 11. TRANSFER OF PERSONAL DATA OUTSIDE THE EEA

    Personal data will not be transferred outside the European Economic Area.

    § 12. COOKIE POLICY

    1. To tailor the sale of specific products to the individual needs and preferences of customers, information is collected in the form of so-called cookies. Cookies are IT data, including text files, stored on the user’s end device and intended for use on the website.
    2. Cookies are used to identify the software used by the website user and to optimize and secure the website’s operation. Cookies contain the domain name from which they originate, specify their storage duration on the user’s computer, and have an assigned number.
    3. The entity placing cookies on the website user’s device and accessing them is the Data Controller.
    4. We use two types of cookies on our website:
      • Session cookies – temporary files stored on the user’s end device until they log out or leave the website.
      • Persistent cookies – stored on the user’s end device for the time specified in the cookie parameters or until deleted by the user.
    5. Detailed information on the possibilities and ways to manage cookies and configure their handling through user software is available in the user’s browser settings.
    6. The user has the option to limit the use of cookies; however, such limitations may affect the functionality and availability of certain features on the website.
    7. Visiting this website while the browser settings of the device used to view it allow for the use of cookies is considered consent to their use.
    8. Cookies are used by JBB to optimize website performance and for statistical analysis purposes. The website uses cookies from various services, such as:
      1. Clickmeeting – an online meeting tool. More about privacy when using Clickmeeting: Clickmeeting Privacy Policy
      2. eRecruiter – a platform for job application data collection. More about privacy: eRecruiter Privacy Policy
      3. Facebook Pixel – a Facebook tracking tool for advertising. More about privacy: Facebook Privacy Policy
      4. Google Ads – an advertising tool for tracking and remarketing. More about privacy: Google Ads Privacy Policy
      5. YouTube – a video-sharing platform. More about privacy: YouTube Privacy Policy

    § 13. CHANGES TO THE PRIVACY POLICY

    1. This Privacy Policy is effective from January 1, 2025.
    2. The Data Controller reserves the right to change the Privacy Policy, influenced by internet technology developments or changes in personal data protection laws, as well as the development of the website. Any changes to the Privacy Policy will be communicated clearly and visibly on the website.