Personal data protection and privacy policy

Personal data protection and privacy policy

Below is an excerpt from the currently applicable "IdoSell Terms and Conditions" regarding "Personal data protection and privacy policy" and "Entrusting data processing to the Operator".

§ 4 - Personal data protection and privacy policy

1. The processing of personal data provided by the Client during Activation is carried out on the basis of Article 6, paragraph 1, point (b) of the GDPR, for the purpose of providing the Service by the Operator and issuing accounting documents, as well as on the basis of consent expressed on the basis of Article 6, paragraph 1, point (a) of the GDPR on the processing of the Client's personal data for marketing purposes.

2. On the basis of Article 6, paragraph 1, point (b) of the GDPR, the Operator processes Client's personal data in the form of profiling reservation services provided by the Client in the scope of customer service and marketing. The Operator does not make automated decisions concerning the Client on the basis of profiling referred to in Article 22, paragraph 1 and 4 of the GDPR.

3. For purposes related to safety and improving the quality of services, all telephone calls and online calls are monitored. The legal basis for the processing of personal data is the consent of the Client expressed by continuing the conversation. In justified cases, this period may be extended. Recorded conversations will be made available only to authorized persons or bodies.

4. The Administrator of the Client's personal data is the Operator, i.e. IAI S.A. - with headquarters in Poland, Aleja Piastów 30, 71-064 Szczecin, +44 207 1931 010 Ext. 1,

5. The Operator will store the Client’s personal data until the expiry of the limitation period for claims arising from the concluded contract or for the period required by separate regulations regarding tax and accounting obligations - depending on which period ends later. After this date, the Client's personal data will be processed by the Operator on the basis of Article. 6, paragraph 1, point (f) of the GDPR, i.e. with intend resulting from legitimate interests pursued by the Operator for the purposes of marketing campaigns.

6. The Client has the right to request from the Operator the access to their personal data, rectification, deletion or limitation of processing, as well as the right to object to the processing (also for marketing purposes, including profiling) and the right to data transfer.

7. If the processing of personal data by the Operator is based on the consent given by the Client referred to in Article 6, paragraph 1, point (a) of the GDPR, the Client has the right to withdraw consent at any time without affecting the legality of the processing, which was made on the basis of consent before its withdrawal.

8. The Client has the right to lodge a complaint to the supervisory body, which is the President of the Personal Data Protection Office.

9. Providing personal data by the Client is a contractual requirement and is voluntary, but necessary to complete the Service. Failure to provide personal data results in the refusal to provide the Service.

10. The Operator commits to comply with the secrecy related to the Client's data, including data of Shop’s customers, as well as not to disclose the data to unauthorized persons and to securely protect this information against access of any unauthorized persons. The Operator can not use this data for purposes other than those specified in §4, article 1 and 2 of the Terms and Conditions.

11. The Operator has the right to use the Client's information only in an aggregated manner that does not allow identification of the Client or the Shop's customer, for the needs of reports.

12. The Operator has the right to publish the basic data of the Client (company name, address of the Site) on the list of references, unless the Client declares otherwise. At the request of the Client the Operator is obliged to remove the data from the list of references as soon as possible, with the exception of non- editable materials, in particular printed materials, which the Operator reserves the right to keep using.

13. Payment data of Client referred to the Operator by IAI Affiliate Partners (including Bronze Level Partners), shall be visible to the respective acquiring partner in order to make settlements under the affiliate program. Client can choose not to make such data available to the acquiring IAI Affiliate Partner by making a suitable statement in a Written form, which will result in the partner no longer receiving the relevant commission.

14. If the Client switches on any of the dedicated Third Party integration via the Service, or sets up and manages external Third Party integration on their own, both the Client's and Shop’s customers' personal data is made available to Third Parties solely at the Client's risk. The purpose, mode and terms of processing of such data by a Third Party should be defined in a separate contract between the Client and the Third Party. The Operator is not responsible for consequences of provision of such data to a Third Party.

15. By using the Affiliate Partner External Services, the Client entrusts Affiliate Partners with the processing of the Shop’s customer personal data in the scope and purpose necessary to perform the service, which obliges them to conclude an appropriate agreement with Affiliate Partners.

16. All data created as a result of use of the Services is regarded as the property of the Client. Such property
does not cover:
a. Any rights to the Service or the Operator's software enabling the operation of the Service.
b. Any elements of the Service within a different scope than the exportable data.
c. Data structures other than those contained in the exported data.
d. Data which could not be exported independently at the moment when the Service was ordered, in
particular information which requires the Operator to create custom software in order to be exported.

17. In the event that a test page is displayed in relation to planned maintenance, a breakdown or blocking of the Shop, Client agree that their Billing Data can be displayed.

18. The Operator undertakes to comply with the privacy policy published on the Operator's Website.

19. More current information on the protection of personal data, including the information obligations required by the GDPR, can be found in the privacy and security policy of IAI S.A. - in the "Information compliant with the GDPR" tab available on the Operator's website.

§ 4a - Entrusting data processing to the Operator

1. The Client declares to be the administrator of the personal data of Shop’s customers supported within the Service, as well as personal data of the Client's employees, associates and contractors which is disclosed to the Operator to ensure the provision of the Service and the data is processed in accordance with applicable law.

2. By expressing consent for provision the Service and accepting these Terms and Conditions, the Client entrusts the Operator with processing personal data of Shop’s customers, employees, co-workers and contractors who operate on the basis of the Software used as part of the Service, as well as the personal data of their employees, associates and contractors shared with the Operator to ensure the provision of the Service for its duration and in the scope of storage, preservation, processing and sharing. The Client entrusts the Operator with the following Shop’s customer data: name, surname, registered office address, correspondence address, e-mail address, telephone number, tax Identification number, bank account number or other personal data which is necessary to complete the purchase and which the Client requires to be provided in the purchase process.

3. The Customer's consent for provision of the Service and acceptance of these Terms and Conditions constitute a documented order referred to in Article 28, paragraph 3, point (a) of the GDPR.

4. The Operator commits to process the personal data provided to him in the above-mentioned scope in accordance with the law and security regulations and the privacy policy referred to in § 4 of the Terms and Conditions, so that the processing protects the rights of data subjects.

5. The Operator obliges to take all measures required under Article 32 of the GDPR, i.e. taking into account the state of technical knowledge, the cost of implementation and the nature, scope, context and purposes of processing, as well as the risk of violating the rights or freedoms of natural persons with different probability of occurrence and threat weight, the Operator will implement appropriate technical and organizational measures to ensure the security level corresponding to this risk.

6. The Operator ensures that the personal data entrusted to him will be disclosed only to individuals authorized to process personal data, who will be obliged to keep it confidential.

7. The Client expresses general consent for the Operator to use services of other processors. The Operator commits to inform the Client about any intended changes regarding the addition or replacement of other processors, thus, giving the Client the opportunity to object to such changes within 7 days from the date of notification. If the Client objects, § 7 sec. 5 is applicable.

8. If the Operator uses services of another processing entity to perform specific processing operations on the Client's behalf, the processing entity is obliged - under a contract or other legal act subject to the European Union law or the law of a Member State – to obey the same data protection regulations as in the contract or other legal act between the Client and the Operator referred to in this paragraph of the Terms and Conditions, in particular the obligation to provide sufficient guarantees for the implementation of appropriate technical and organizational measures to ensure that the processing complies with the requirements of this regulation. If this other processor fails to fulfil its data protection obligations, the Operator bears full responsibility towards the Client for the fulfilment of the obligations of this other processor - limited to the amount of a 1-month Subscription Fee. In the event of damage exceeding the 1- month Subscription Fee, the Client may claim supplementary compensation on general terms.

9. Taking into account the nature of the processing, the Operator, as far as possible, commits to assist the Client by means of appropriate technical and organizational measures, to comply with the obligation to respond to the requests of the data subject, in the exercise of its rights set out in Chapter III of GDPR, and to fulfil the obligations set out in Article 32-36 of the GDPR.

10. After completing the provision of the Service, the Operator, depending on the Client’s decision, deletes or returns any personal data to the Client and removes all existing copies, unless European Union law or Polish law requires the storage of personal data.

11. The Operator provides the Client with all information necessary to demonstrate compliance with the obligations for the lawful processing of personal data and enables the Client, or the auditor authorized by the Client to carry out audits, including inspections, and contributes to them.

12. The Operator will also make available to the Client, upon request, the Personal Data Protection Policy (in parts relevant for the Client) in order to demonstrate that the Operator fulfills obligations under these Terms and Conditions.

13. The Client requests to conduct an audit at the Operator or review the Data Protection Policy to the Operator's Data Protection Inspector.

14. After receiving the request by the Operator, the Operator and the Client will discuss and agree in advance upon:
a. The date (s) of the Data Protection Policy review as well as the security and confidentiality principles applicable to each review of the data protection policy;
b. The reasonable start date, scope and duration and security and confidentiality conditions applicable to each audit.

15. The Operator may charge a fee (based on reasonable Operator's costs) for each review of the Data Protection Policy and / or audit. The Operator will provide the Client with additional details of any applicable fees and the basis for their calculation, before such a review or audit. The Client will be responsible for all fees charged by the auditor appointed by the Client in order to perform such an audit.

16. The Operator may submit in writing objections to the auditor appointed by the Client to conduct the audit, if the auditor is not, in the reasonable opinion of the Operator, suitably qualified or independent, is related to the competition of the Operator or otherwise clearly inappropriate. All such reservations on the part of the Operator will require the Client to appoint another auditor or carry out the audit himself.

17. The Operator immediately informs the Client if, in his opinion, the instruction given by the Client constitutes an infringement of the GDPR or other provisions of the European Union or Polish law on data protection.

18. The Operator is liable towards the Client for damages caused by the processing of entrusted personal data of the Client only when the Operator has not fulfilled the obligations that the GDPR imposes directly on him, or if he acted outside the lawful instructions of the Client, or contrary to these instructions. The Operator is liable to the amount of a 1-month Subscription Fee. In the case of damage exceeding the amount of 1-month Subscription fee, the Client may claim supplementary compensation on general terms.

19. The provisions of § 4, paragraph 12 apply accordingly.

Read the full text "IdoSell Terms and Conditions".