1. General provisions

  1. This document (hereinafter referred to as: “Privacy Policy”) indicates the rules and purposes of processing personal data of Users of the Website accessible at mazzini.com (hereinafter also referred to as the “Website” or “Online Store”). Persons using the Website are also referred to in this Privacy Policy as: “Users” or “Customers”.
    1. The Controller of personal data collected as part of the Website is the Polish company Beso Lux sp.z o.o. with its registered seat in Łódź (90-562) at ul. Łąkowa 7a/E, NIP [Tax ID No.]: 7292718480, REGON [Business ID No.]: 367958776, KRS [Court Register No.]: 0000689756, registration court: District Court for Łódź-Śródmieście in Łódź, Commercial Court, 20th Commercial Division of the National Court Register, contact telephone number: +48 662 151 499, e-mail: administration@besoux.com
    1. The Customer’s personal data is processed in accordance with the Polish Personal Data Protection Act of 10 May 2018 and the Electronic Services Provision Act of 18 July 2002 (Journal of Laws No. 144, item 1204, as amended) and in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – hereinafter referred to as “GDPR” or “GDPR Regulation”. The official text of the GDPR Regulation is available at http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELEX%3A32016R0679.
    1. All capitalized words or expressions in the content of this document, not defined in the content of this Privacy Policy, should be understood in accordance with their definition provided in the Website Rules and Regulations, available at the Website of the Online Store.
    1.  Using the Online Store, including making purchases, is voluntary. Similarly, the provision of personal data by the Website Customer or Client using the Online Store is voluntary, subject to two exceptions: (1) concluding contracts with the Controller – failure to provide, in the cases and to the extent indicated on the Online Store Website, in the Online Store Rules and Regulations and this Privacy Policy, the personal data necessary to conclude with the Controller and perform a Sales Agreement or Contract for the Provision of Electronic Services results in the inability to conclude such contract. Providing personal data is in this case a contractual requirement and if the data subject wants to conclude a given contract with the Controller, such data subject has the obligation to provide the required data. Each time, the scope of data required to conclude a contract is previously indicated on the Website of the Online Store and in the Online Store Rules and Regulations; (2) statutory obligations of the Controller – providing personal data is a statutory requirement resulting from generally applicable laws imposing on the Controller the obligation to process personal data (e.g. data processing for the purpose of keeping tax or accounting books) and failure to provide them will prevent the Controller from performing these obligations and may constitute the basis for the Controller’s refusal to provide the Service to the User.
    1. The Controller takes special care to protect the interests of subjects of the personal data it processes, and in particular it is responsible for and ensures that the data collected by it are: (1) processed in accordance with the law; (2) collected for specified, lawful purposes and not subjected to further processing incompatible with these purposes; (3) correct as to its content and adequate in relation to the purposes for which it is processed; (4) stored in a form enabling the identification of persons to whom it relates, for the period no longer than necessary to achieve the purpose of processing, and (5) processed in a manner ensuring adequate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, by appropriate technical or organizational measures.
    1. Taking into account the nature, scope, context and purposes of processing as well as the risk of violating the rights or freedoms of natural persons with different probability and severity level, the Controller implements appropriate technical and organizational measures to ensure that the processing can take place in accordance with this regulation and that such compliance can be proved. These measures are reviewed and updated as necessary. The Controller uses technical measures to prevent any unauthorized persons from the acquisition and modification of personal data transferred by electronic means.
    1. The Website performs the functions of obtaining information about the Customers and their behavior in the following way
      1. through information entered voluntarily in forms;
      1. by saving cookie files (so-called “cookies”) in end-devices.

2.  Basis for data processing

2.1       The Controller is entitled to process personal data in cases where – and to the extent in which – at least one of the following conditions is met: (1) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; (2) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (3) processing is necessary for compliance with a legal obligation to which the Controller is subject; or (4) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

2.2.      The processing of personal data by the Controller requires each time the existence of at least one of the bases indicated in point 2.1 of the Privacy Policy. The specific basses for processing the personal data of Customers and Clients of the Online Store by the Controller are indicated in the next section of the Privacy Policy – in relation to the given purpose of personal data processing by the Controller.

3. Purpose and scope of data collection

  • Each time the purpose, basis, period and scope as well as the recipients of the personal data processed by the Controller result from steps taken by a given Customer or Client in the Online Store.
    • The Controller may process personal data in the Online Store for the following purposes, on the following bases, in the following periods and scope:
Purpose of data processingLegal basis for processing and period of data storage.Scope of processed data
Performance of the Sales Agreement or contract for the provision of Electronic Services or taking steps at the request of the data subject prior to entering into above-mentioned agreements or contractsArticle 6 par. 1 letter b) of the GDPR (performance of the contract) The data is stored for the period necessary for the performance, termination or otherwise expiry the concluded contract.Maximum scope: given name and surname; e-mail address; contact telephone number; delivery address (street, house number, apartment number, zip code, city, country), address of residence/business/registered seat (if different from the delivery address). In the case of Customers or Clients who are not consumers, the Controller may additionally process the company name and tax identification number (NIP) of the Customer or Client. The scope specified above is maximum.
Direct marketingArticle 6 par. 1 letter f) of the GDPR (legitimate interests pursued by the Controller) – The data is processed for no longer than 3 years from the date of conclusion of the last Sales Agreement by a given User, unless the User previously objects to the processing of his/her data for direct marketing purposesE-mail address
NewsletterArticle 6 par. 1 letter a) of the GDPR (consent) – The data is stored until the data subject withdraws the consent for further processing of his or her data for this purposeGiven name, e-mail address
Expressing the opinion by the Client on the concluded Sales AgreementArticle 6 par. 1 letter a) of the GDPR – The data is stored until the data subject withdraws the consent for further processing of his or her data for this purposeE-mail address
Keeping tax booksArticle 6 par. 1 letter c) of the GDPR in connection with Article 86 § 1 of the Tax Ordinance of 17 January 2017. The data is stored for the period required by law provisions ordering the Controller to store tax books (until the tax limitation period expires, unless tax laws provide otherwise)Given name and surname; address of residence/business/registered seat (if different from the delivery address), company name and tax identification number (NIP) of the Customer or Client.
Determining, investigating or defending claims that may be raised by the Controller or that may be raised against the ControllerArticle 6 par. 1 letter f) of the GDPR – The data is stored for the duration of the legitimate interest pursued by the Controller, but no longer than for the period of limitation of claims in relation to the data subject, due to the business activity conducted by the Controller. The limitation period is specified by law, in particular the Civil Code (the basic limitation period for claims related to running a business is three years, and for a sales contract – two years).Given name and surname; contact telephone number; e-mail address; delivery address (street, house number, apartment number, zip code, city, country), address of residence/business/registered seat (if different from the delivery address). In the case of Customers or Clients who are not consumers, the Controller may additionally process the company name and tax identification number (NIP) of the Customer or Client.
Examination of complaintsArticle 6 par. 1 letter c) of the GDPR (fulfilment of the legal obligation) – The data is stored for the period necessary to examine the complaint, no longer than for the period of limitation of claims arising from the complaint or the period of final settlement of the dispute regarding claims arising from the complaintGiven name and surname; contact telephone number; e-mail address; delivery or home address and other data resulting from the complaint received by the Controller
Contact formArticle 6 par. 1 letter a) of the GDPR (consent) – The data is stored until the enquiry addressed to the Controller is answered or until the data subject withdraws the consent for further processing of his or her data for this purpose.Given name and surname; contact telephone number; e-mail address; correspondence address, company name
  • The Controller processes the following personal data: (1) E-mail address; (2) Given name; (3) Surname; (4) Residence address, delivery address or correspondence address, i.e. street, building number, apartment number, city, postal code, country; (5) Telephone number;
    • If the Client submits an instruction to issue a VAT invoice by the Seller, the Controller also processes the following personal data: (1) Company name; (2) tax identification number; (3) Business address (street, building number, apartment number, city, postal code, country).

4. Information in the forms

  • The Website collects information provided voluntarily by the Customer.
    • The Website may also save information about connection parameters (time stamp, IP address).
    • The data in the forms are not made available to third parties unless the Customer has given his or her consent.
    • The data provided in the forms are processed for the purpose resulting from the function of a specific form, e.g. in order to conclude a Sales Agreement, in order to process the service request or commercial contact, in order to subscribe to the Newsletter.
    • For the proper functioning of the Online Store, including the implementation of Sales Agreements concluded, it is necessary for the Controller to use the services of external entities (such as, for example, a software provider, courier or payment processor). The Controller uses only the services of such processors who provide sufficient guarantees to implement appropriate technical and organizational measures, so that the processing meets the requirements of the GDPR and protects the rights of the data subjects.
    • Using the Website involves the processing of personal data by the Controller in an automated manner, including in the form of profiling. Profiling will be aimed at adjusting the sales offers to the expected preferences of the User, including based on previous purchases or previously viewed offers. The Controller ensures that automated data processing and profiling will not cause negative effects on the part of the User.
    • 4.7. The transfer of data by the Controller does not take place in every case and not to all Customers or categories of Customers indicated in the Privacy Policy – the Controller provides data only when it is necessary to achieve a given purpose of personal data processing and only to the extent necessary to achieve it. For example, if the Client uses a personal collection, his data will not be transferred to the carrier cooperating with the Controller.
    • Personal data of the Customers and Clients of the Online Store may be transferred to the following recipients or categories of recipients:
      • carriers/forwarders/courier brokers – in the case of a Client who at the Online Store uses the method of delivery of the Product by regular mail or courier, the Controller provides the Client’s collected personal data to the selected carrier, forwarder or intermediary performing shipments at the request of the Controller to the extent necessary to deliver the Product to the Client or to verify the complaint submitted by the Client (if the claims are related to the delivery of the Product);
      • producers of Products purchased by Clients, if the Product is delivered directly from the producer’s warehouse to the place of delivery indicated by the Client – the Controller provides the Client’s data necessary for delivery;
      • entities servicing electronic or card payments – if the Online Store offers the possibility of making payments by electronic payments or by payment card – the Controller provides the Client’s collected personal data to the selected entity servicing the above payments in the Online Store at the request of the Controller to the extent necessary to handle payments made by the Client;
      • service providers supplying the Controller with technical, IT and organizational solutions, enabling the Controller to run a business, including the Online Store and the Electronic Services provided through it (in particular providers of the computer software for running the Online Store, e-mail and hosting providers as well as providers of software for business management and for providing technical assistance to the Controller) – the Controller provides the collected personal data of the Client to a selected supplier acting on its behalf only in the case and to the extent necessary to achieve a given purpose of data processing in accordance with this Privacy Policy;
      • providers of accounting, legal and advisory services providing the Controller with accounting, legal or advisory support (in particular an accounting office, law firm or debt collection company) – the Controller provides the collected personal data of the Client to a selected supplier acting on its behalf only in the case and to the extent necessary to achieve a given purpose of data processing in accordance with this Privacy Policy;
      • repair services (e.g. furniture repair services, upholstery services, etc.), with which the Controller cooperates – the Controller provides personal data to the repair service in the event of a Client reporting defects or faults in the purchased goods, in order to examine the submitted complaint or its implementation;
  • Rights of the data subject
    • Each person has the right to control how his or her data are processed by the Controller; in particular, the following rights:
      •  The right to access, rectify, limit, delete or transfer – the data subject has the right to request from  the Controller the access his personal data, rectify it, delete (“the right to be forgotten”) or limit its processing, and has the right to object to processing, and also has the right to transfer their data. Detailed conditions for the exercise of the above-mentioned rights are set out in Article 15-21 of the GDPR.
      • The right to withdraw consent at any time – a person whose data is processed by the Controller on the basis of expressed consent (pursuant to Article 6 par. 1 letter a) or Article 9 par. 2 letter a) of the GDPR), it has the right to withdraw consent at any time without impact on the lawfulness of the processing which was carried out on the basis of consent before its withdrawal.
      • The right to lodge a complaint to the supervisory body – the person whose data is processed by the Controller has the right to lodge a complaint with the supervisory body in the manner and mode specified in the provisions of the GDPR and of the Polish law, in particular the Personal Data Protection Act. The supervisory body in Poland is the President of the Personal Data Protection Office.
      • Right to object – the data subject has the right to object at any time – for reasons related to his or her particular situation – to the processing of his or her personal data based on Article 6 par. 1 letter e) (public interest or tasks) or f) (legitimate interest of the Controller), including profiling based on these provisions. In such a case, the Controller is no longer allowed to process such personal data, unless it demonstrates the existence of valid legitimate grounds for processing, overriding the interests, rights and freedoms of the data subject, or grounds for establishing, investigating or defending claims.
      • Right to object to direct marketing – if personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing of his or her personal data for such marketing purposes, including profiling, to the extent in which processing is related to such direct marketing.
    • In order to exercise the rights referred to in this point of the Privacy Policy, you can contact the Controller by sending an appropriate message in writing or by e-mail to the Controller’s address indicated at introductory part of this Privacy Policy or using the contact form available at the Online Store site.

6. Information on cookies[PS1] .

  • The Website uses cookies.
    • Cookie files (so-called “cookies”) are IT data, in particular text files, which are stored on the Website Customer’s end device and are intended for the use of the Website’s content. Cookies usually contain the name of the Website they come from, the storage time on the end device and a unique number.
    • The Controller is the entity that places cookies on the Website Customer’s end device and obtains access to them.
    • Cookies are used for the following purposes:
      • creating statistics that help to understand how the Website’s Customers use websites, which allows improving their structure and content;
      • maintaining the Service Customer’s session (after logging in), thanks to which the Customer does not have to re-enter the login and password on each subpage of the Service;
      • determining the Customer’s profile in order to display materials in advertising networks that match his or her needs.
    • The Website uses two basic types of cookies: session cookies and persistent cookies. Session cookies are temporary files that are stored on the Customer’s end device until logging out, leaving the Website or turning off the software (web browser). “Persistent” cookies are stored on the Customer’s end device for the time specified in the cookie file parameters or until they are deleted by the Customer.
    • Software for browsing websites (web browser) usually by default allows the storage of cookies on the User’s end device. Customers can change the settings in this regard. The web browser allows you to delete cookies. It is also possible to automatically block cookies. Detailed information on this subject can be found in the help or documentation of the web browser. Restrictions on the use of cookies may affect some of the functionalities available on the Website pages.
    • Detailed information on changing the settings for cookies and their self-removal in the most popular web browsers is available in the help section of the web browser.
    • Cookies placed on the Customer’s end device may also be used by advertisers and partners cooperating with the Website operator.
    • It is recommended to read the Privacy Policy of these entities to learn about the rules of using cookies used in statistics.
    • Cookies may be used by advertising networks, in particular the Google network, to display advertisements tailored to the manner in which the user uses the Website. For this purpose, they may keep information about the user’s navigation path or the time spent on a given page.
    • In terms of information about the Service Customer’s preferences collected by the Google advertising network, the Customer may view and edit information resulting from cookies using the:  https://adssettings.google.pl/ /
  • Data transfer outside the EEA.
    • As a result of using the Website and Services, Users’ personal data may be made available to the USA, i.e. outside the European Economic Area. The data is transferred to the USA in the following ways:
      • to the Facebook social network or Instagram social network (operated by the company: Facebook Inc., 1601 Willow Road, Menlo Park, California, 94025, USA) via the appropriate “plug-in” (plug-in of the relevant portal) on the Website. The plugin contains the logo of a given social networking site. The plugin allows you to connect the User directly to his or her profile in a given social network. Facebook may then obtain information that the User has used the Website.
      • to Google LLC (1600 Amphitheater Parkway, Mountain View, California, USA) as a result of the use of cookies
    • Privacy laws in countries outside the EU may not offer the same level of protection as in an EU country. However, if the User’s personal data is made available outside the EU, the Controller ensures an appropriate level of data protection. The transfer of data is then based on:
      • decision of the European Commission determining whether the level of data protection is adequate (Article 45 of the GDPR);
      • the legally recognized grounds for data sharing, such as standard contractual clauses (Articles 46-47 GDPR).
      • in the absence of a decision of the European Commission or solutions provided for in Articles 46-47 GDPR, the transfer of data outside the EU will take place on the basis of Article 49 par. 1 point a) or point b) of GDPR, i.e. the transfer of data will be based on the User’s consent or is necessary for the performance of a contract to which the User is a party or to take measures prior to entering into the contract to which the User is a party.
    • In the case of data transfer outside the EU, in addition to the rights set out in point 5 of the Privacy Policy, the User also has the right to obtain information on how to secure data related to the transfer of data to countries outside the EU and information about the right to obtain information about the place of their sharing.
  • Final provisions
    • The Privacy Policy shall enter into force on 17.09.2020
    •  The Controller is entitled to change the provisions of the Privacy Policy at any time for important reasons, including in particular:
      • extension or modification of the Website’s functionalities,
      • introducing new services or changing the scope of services, in particular introducing payment for some or all services,
      • changes in technical requirements necessary for the operation of the Website, in particular regarding the end user’s devices and ICT system, changes in the technical conditions for the provision of services, the occurrence of new types of risk related to the provision of electronic services,
      • the need to introduce technical modifications to the Privacy Policy that do not affect the content of the rights and obligations of the Parties, in particular to remove mistakes and errors, change links
      • the need to adapt the Privacy Policy to applicable law, in particular with regard to the services provided,
      • the need to adapt the services provided or the content of the Privacy Policy to court judgments and administrative decisions,
      • adjusting the Privacy Policy to the best practices of service provision or user protection,
      • changes to the Controller’s data disclosed in the Privacy Policy, in particular contact details.
    •  The Controller informs about the modifications to the Privacy Policy by: a message that the User can view after logging in, which displays information about the modifications to the Privacy Policy and a link to the content of the new Privacy Policy or the content of the modifications introduced; placing information about the modifications to the Privacy Policy on the Website; sending to the Registered Users the information about modifications to the Privacy Policy along with the uniform text of the Privacy Policy by e-mail to the e-mail address provided during the registration process.