1.1. This Privacy Policy is for information purposes only. The Privacy Policy primarily contains the principles regarding the processing of personal data by the Administrator, including the basis, purposes and scope of personal data processing and the rights of data subjects, as well as information on the use of cookies and analytical tools.
1.2. The administrator of personal data is Fotobudki.pl Przemysław Boniecki ul. Boczna 29 B 93-646 Łódź NIP 773-165-06-67 – referred to in this document as the “Administrator”.
1.3. Personal data are processed by the Administrator in accordance with applicable legal provisions, in particular in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – hereinafter referred to as “GDPR” or “GDPR Regulation”.
1.4. Using the Administrator’s services is voluntary. Similarly, providing personal data is subject to two exceptions: (1) entering into agreements with the Administrator – failure to provide personal data necessary for the conclusion and performance of the Agreement for the provision of services with the Administrator in the cases and to the extent indicated in the order form and this privacy policy results in the inability to conclude this agreement. Providing personal data is in such a case a contractual requirement and if the data subject wants to conclude a given agreement with the Administrator, they are obliged to provide the required data. (2) statutory obligations of the Administrator – providing personal data is a statutory requirement resulting from generally applicable legal provisions imposing on the Administrator the obligation to process personal data (e.g. processing data for the purpose of maintaining tax or accounting books) and failure to provide them will prevent the Administrator from fulfilling these obligations.
1.5. The Administrator takes special care to protect the interests of persons whose personal data he processes relates to, and in particular is responsible and ensures that the data he collects are: (1) processed lawfully;
(2) collected for specified, lawful purposes and not further processed in a manner incompatible with those purposes; (3) substantively correct and adequate in relation to the purposes for which they are processed; (4) stored in a form which enables identification of data subjects for no longer than is necessary to achieve the purpose of processing; and (5) processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures.
1.6. Taking into account the nature, scope, context and purposes of processing and the risk of violation of the rights or freedoms of natural persons with varying probability and severity of threat, the Controller shall implement appropriate technical and organizational measures to ensure that processing is carried out in accordance with this Regulation and to be able to demonstrate this. These measures are reviewed and updated as necessary. The Controller shall apply technical measures to prevent unauthorized persons from obtaining and modifying personal data sent electronically.
2.1. The administrator processes personal data when:
(1) the data subject has consented to the processing of his or her personal data for one or more specific purposes;
(2) processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject before entering into a contract;
(3)processing is necessary to comply with a legal obligation incumbent on the Controller; or
(4) processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
3.1. Each time, the purpose, basis, period and scope as well as the recipients of personal data processed by the Administrator result from the actions undertaken by a given Client.
3.2. The Administrator may process personal data for the following purposes, on the following grounds, in the following periods and to the following extent:
| The purpose of data processing | Legal basis for processing and data storage period | Type of data processed |
| Fulfillment of the concluded contract | art. 6 sec. 1 lit. b GDPR (performance of the contract)
Data is processed for the period necessary to demonstrate the performance, implementation, termination of the contract and defense against any claims related thereto |
Name, surname, email address, telephone number. |
| Creating an account on the website | art. 6 sec. 1 lit. b GDPR (performance of the contract)
Data is processed for the duration of the account on the website, and after its deletion for the time necessary to defend against any claims related to the account on the website |
Name, surname, email address, phone number |
| Receiving the newsletter | Art. 6 sec. 1 lit. a GDPR (consent)
Data is processed throughout the period in which consent to receive the newsletter is granted |
Email address |
| Determining, pursuing or defending claims that may be raised by the Administrator or that may be raised against the Administrator | art. 6 sec. 1 lit. f GDPR (legitimate interest of the administrator)
Data is processed for the period in which the data subject may file claims, and therefore deletion is after the expiry of the limitation period |
Name, surname, email address, telephone number, NIP, PESEL |
| Conducting tax settlements | Article 6, paragraph 1, letter c of the GDPR (fulfillment of a statutory obligation)
For the period necessary to make tax settlements |
Name, surname, email address, telephone number, NIP, PESEL |
4.1. For the proper functioning of the Service, including the implementation of concluded Agreements, it is necessary for the Administrator to use the services of external entities (such as a software provider, courier or payment service provider). The Administrator only uses the services of such processing entities that provide sufficient guarantees for the implementation of appropriate technical and organizational measures so that the processing meets the requirements of the GDPR Regulation and protects the rights of data subjects.
4.2. The Controller does not transfer data in every case and not to all recipients or categories of recipients indicated in the privacy policy – the Controller transfers data only when it is necessary to achieve a given purpose of personal data processing and only to the extent necessary to achieve it.
4.3. Personal data in connection with the performance of the contract are transferred:
5.1.Information may be processed in an automated manner (including profiling), however, this will not produce any legal effects for a natural person or otherwise affect their rights and obligations.
5.2. In case of profiling:
5.3. The purpose of profiling is:
6.1. The right to access, rectify, limit, delete or transfer – the data subject has the right to request from the Controller access to their personal data, their rectification, deletion (“the right to be forgotten”) or restriction of processing and has the right to object to the processing, as well as the right to transfer their data. Detailed conditions for exercising the above-mentioned rights are indicated in Articles 15-21 of the GDPR Regulation.
6.2. The right to withdraw consent at any time – a person whose data is processed by the Controller on the basis of expressed consent (based on art. 6 sec. 1 letter a) or art. 9 sec. 2 letter a) of the GDPR Regulation) has the right to withdraw consent at any time without affecting the lawfulness of the processing carried out on the basis of consent before its withdrawal.
6.3. The right to lodge a complaint with the supervisory authority – i.e. to the President of the Personal Data Protection Office, Personal Data Protection Office, ul. Stawki 2, 00 – 193 Warsaw.
6.4. Right to object – the data subject has the right to object at any time – for reasons relating to his or her particular situation – to the processing of his or her personal data based on Article 6(1)(e) (public interest or tasks) or (f) (legitimate interest of the controller), including profiling based on these provisions. In such a case, the controller is no longer allowed to process the personal data, unless he or she demonstrates compelling legitimate grounds for processing that override the interests, rights and freedoms of the data subject, or grounds for establishing, pursuing or defending claims.
6.5. In order to exercise the rights referred to in this point of the privacy policy, you can contact the Administrator by sending an appropriate message in writing or by e-mail to the Administrator’s address indicated at the beginning of the privacy policy or by using the contact form available on the Website.
7.1. Cookies are small text information in the form of text files, sent by the server and saved on the side of the person visiting the Service (e.g. on the hard drive of a computer, laptop, or on the memory card of a smartphone – depending on the device used by the visitor to the Service). Detailed information on Cookies, as well as the history of their creation can be found here: http://pl.wikipedia.org/wiki/Ciasteczko.
7.2. The Administrator may process the data contained in Cookies when visitors use the Service for the following purposes: 7.2.1. identifying Service Recipients as logged in to the Service and showing that they are logged in; 7.2.2. remembering selected services in order to place an Order; 7.2.3. remembering data from completed Order Forms or login data to the Service; 7.2.4. adapting the content of the Service page to the Service Recipient’s individual preferences (e.g. regarding colors, font size, page layout) and optimizing the use of the Service pages; 7.2.5. keeping anonymous statistics showing how the Service page is used;
7.3. By default, most web browsers available on the market accept the saving of Cookies by default. Everyone has the ability to specify the terms of using Cookies using the settings of their own web browser. This means that you can, for example, partially limit (e.g. temporarily) or completely disable the ability to save Cookies – in the latter case, however, this may affect some functionalities of the Service.
7.4. The settings of the web browser regarding Cookies are important from the point of view of consent to the use of Cookies by the Service – in accordance with the regulations, such consent may also be expressed through the settings of the web browser. In the absence of such consent, the settings of the web browser regarding Cookies should be changed accordingly.
7.5. Detailed information on changing Cookie settings and deleting them yourself in the most popular web browsers is available in the help section of the web browser and on the following pages (just click on the link):
Personal data may be transferred outside the European Economic Area, but in such a situation it always takes place to countries that ensure at least the same level of protection of personal data as that applicable in the territory of the European Union.
8.1. The Service may contain links to other websites. The Administrator encourages you to read the privacy policy established there after going to other websites. This privacy policy applies only to the Administrator’s Service
8.2. The Privacy Policy is constantly reviewed and updated as necessary.
8.3. The current version of the Privacy Policy has been adopted and is effective from December 1, 2024.
