I. GENERAL PROVISIONS
1. BEST DIAMONDS MARKOWSKI SPÓŁKA KOMANDYTOWA, with its registered office in Białystok and its place of business and correspondence address at: ul. Michała Motoszko 28, 15-111 Białystok, Poland, Tax Identification Number (NIP): 542-332-10-91, Statistical Number (REGON): 380786285, entered in the Register of Entrepreneurs of the National Court Register under KRS number: 0000963537, e-mail address: contact@gremari.com, telephone number: + 85 873 05 70, acting as the controller of your personal data (hereinafter: the “Controller”), is committed to protecting your privacy. In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L 119, p. 1), we hereby provide you with the key information concerning the principles governing the processing of your personal data by the Controller, including information on the cookies used on our online platform.
2. The Controller collects and processes personal data in compliance with applicable law, in particular with the provisions of the GDPR and the data processing principles laid down therein. We strive to ensure transparency in data processing and, in particular, we inform you at the moment of data collection about the purpose and legal basis of such processing – for example, when creating an account on www.gremari.com, entering into a contract, or subscribing to a newsletter. The Controller ensures that personal data are collected only to the extent necessary to achieve the intended purpose and are processed only for the period required to fulfil that purpose.
3. In processing personal data, the Controller ensures their security and confidentiality as well as access to information regarding such processing for data subjects. If, despite the security measures in place, a personal data breach occurs (such as a “data leak” or data loss), the Controller shall act in accordance with the GDPR and notify the competent supervisory authority and the affected data subjects in a manner compliant with applicable legal requirements.
II. PERSONAL DATA CONTROLLER (“Controller”)
The Controller of your personal data in connection with your use of the website gremari.com (hereinafter: the “Service”) is BEST DIAMONDS MARKOWSKI SPÓŁKA KOMANDYTOWA, with its registered office and business/correspondence address at ul. Michała Motoszko 28, 15-111 Białystok, Poland.
If you have any questions regarding the processing of your personal data or your rights under applicable data protection laws, you may contact us:
a) in writing at the following address:
BEST DIAMONDS MARKOWSKI SPÓŁKA KOMANDYTOWA, ul. Michała Motoszko 28, 15-111 Białystok, Poland;
b) by contacting our staff member responsible for assisting users in exercising their data protection rights via:
e-mail: contact@gremari.com
telephone: + 85 873 05 70
III. PURPOSE AND LEGAL BASIS OF PERSONAL DATA PROCESSING
1. The Controller may process the following personal data of users or customers using the Service: first and last name; e-mail address; contact telephone number (if provided in connection with your enquiry); delivery address (street, building number, apartment number, postal code, town/city, country); residential address/company registered office address (if different from the delivery address); data relating to order fulfilment, including payment details. In the case of users or customers who are not consumers, the Controller may also process the company name and the customer’s tax identification number (NIP). Providing the above personal data may be necessary for the conclusion and performance of a sales contract or a contract for the provision of electronic services through the Service. The scope of data required for the conclusion of a contract is always specified in advance on the Service’s website and in the Terms and Conditions of the online store.
2. Depending on the functionalities of the Service that you use, we process the personal data you voluntarily provide to us for the following purposes:
a) Displaying website content – legitimate interest (Article 6(1)(f) GDPR), consisting of providing the Service and preventing misuse.
b) Creating and managing a user account, user verification – necessary for the performance of a contract for the provision of the account service (Article 6(1)(b) GDPR).
c) Services requiring account creation – necessary for performance of services in accordance with the terms and conditions (Article 6(1)(b) GDPR).
d) Sending newsletters – your consent (Article 6(1)(a) GDPR).
e) Ensuring the security of online sales services through recording users’ IP addresses – legitimate interest (Article 6(1)(f) GDPR).
f) Order fulfilment (including complaints):
– necessary for the performance of the contract (Article 6(1)(b) GDPR);
– legal obligation of the Controller (Article 6(1)(c) GDPR), in particular pursuant to tax and accounting regulations.
g) Statistics, facilitating the use of the Service, and IT security – legitimate interest (Article 6(1)(f) GDPR).
h) Establishment, exercise and defence of claims – legitimate interest (Article 6(1)(f) GDPR).
i) Sending satisfaction surveys – legitimate interest (Article 6(1)(f) GDPR).
j) Responding to enquiries – legitimate interest (Article 6(1)(f) GDPR).
k) Handling complaints, requests, and appeals –
– Article 6(1)(b) and (c) GDPR (contract performance and legal obligation);
– Article 6(1)(f) GDPR (legitimate interest in handling complaints, requests, and appeals).
IV. DATA RETENTION PERIOD
1. The period for which personal data are processed depends on the type of service provided and the purpose of the processing. The retention period may also arise from applicable legal regulations if they constitute the legal basis for processing.
2. We store your personal data for the duration of your user account within the Service, for the purpose of providing the account-related services and other services rendered in accordance with the Terms and Conditions for the Provision of Electronic Services. Once the account is deleted, your data will be anonymised, except for specific personal data retained for the purpose of handling complaints relating to the use of the Controller’s services, as well as for the establishment, exercise, or defence of legal claims.
3. If the legal basis for processing is the necessity to conclude and perform a contract, the data will be processed for the duration of the Service or order fulfilment, until full performance of the contract and the expiry of the post-transaction periods allowing for the exercise of certain claims (e.g., warranty or statutory guarantee).
4. If the processing is based on consent, the data will be processed until such consent is withdrawn or until an effective objection or request for erasure is lodged.
5. If the data are processed on the basis of the Controller’s legitimate interest, they will be processed for the period necessary to pursue that interest or until an effective objection to processing is submitted, or—if no such objection is made—until the legitimate interest ceases to exist.
6. Data processed in connection with the “Product Enquiry” function will be retained for the duration of the correspondence. If you express further interest in our product/service and accept our price offer, the data will be processed for the purposes necessary to perform the contract, as described in point 5 above.
7. The retention period may be extended if processing is necessary for the establishment, exercise, or defence of legal claims. After the expiry of such period, the data may be stored only where required by law and only to the extent required. Your data will be processed only for as long as we have a legal basis to do so, i.e. until:
a) we cease to be subject to a statutory obligation requiring the processing of data,
b) the limitation period for claims relating to the contract concluded through the Store expires,
c) you withdraw your consent, if consent was the legal basis, or you lodge an objection to processing—
depending on which of these events occurs last.
8. After the expiry of the data retention period, the data will be irreversibly deleted or anonymised.
V. CATEGORIES OF RECIPIENTS OF PERSONAL DATA
1. In connection with the provision of services by the Controller, your personal data may be transferred to external entities, in particular IT service providers (including those responsible for operating IT systems used to provide online services), entities such as banks and payment operators (where electronic payment methods are chosen), providers of accounting and bookkeeping services, courier and postal operators, carriers or intermediaries acting on behalf of the Controller, marketing agencies (within the scope of marketing services), providers of legal or accounting services, and other entities providing ancillary services necessary for the performance of the concluded contract.
2. Your data may also be provided to competent authorities or third parties that request such information on the basis of a valid legal ground obliging the Controller to provide such data. In accordance with applicable law, your personal data may be disclosed upon request to authorised public authorities if required by law.
3. The Controller acknowledges that the level of personal data protection outside the European Economic Area (EEA) may differ from that ensured by EU law. The Controller will always inform data subjects at the moment of data collection of any intention to transfer data outside the EEA. At present, the Controller does not use the services of such entities. The Controller transfers personal data outside the EEA only when necessary and only where appropriate safeguards are in place, primarily through:
• cooperation with entities located in countries for which the European Commission has issued an adequacy decision;
• the use of standard contractual clauses adopted by the European Commission;
• the use of binding corporate rules approved by the competent supervisory authority.
VI. RIGHTS OF THE DATA SUBJECT
1. We ensure the exercise of your rights as described below. You may exercise these rights by submitting a request using the contact details set out in Section IV above. As a data subject, you have the following rights:
a) Right to rectification
You have the right to rectify and complete the personal data you have provided to us. With respect to any other personal data, you have the right to request their rectification (if inaccurate) and completion (if incomplete).
b) Right to object to processing
You have the right to object at any time to the processing of your personal data, including profiling, where the processing is based on our legitimate interest—for example, in connection with compiling usage statistics for the Service, facilitating the use of the Service, or conducting satisfaction surveys.
If your objection is justified and we have no other legal basis for processing your personal data, the data to which the objection relates will be erased.
c) Right to erasure (“right to be forgotten”)
You have the right to request the erasure of all or part of your personal data. A request for the erasure of all personal data will be treated as a request to delete your user account.
You may request erasure of your personal data if:
• you have withdrawn your consent to the extent to which processing was based on such consent;
• your personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
• you have objected to the use of your data for marketing purposes;
• you have objected to the use of your data for statistical analysis of the Service, and your objection has been considered justified;
• your personal data have been processed unlawfully.
d) Right to restriction of processing
You have the right to request restriction of the processing of your personal data. After submitting such a request and until it is resolved, we will prevent you from using certain functionalities or services requiring the processing of the relevant data. We will also refrain from sending you any communications, including marketing messages.
You may request restriction of processing if:
• you contest the accuracy of your personal data – processing will be restricted for the period necessary for us to verify the accuracy of the data, but no longer than 7 days;
• the processing is unlawful and you request restriction instead of erasure;
• the data are no longer needed for the purposes for which they were processed, but you need them for the establishment, exercise, or defence of legal claims;
• you have objected to processing – restriction applies while we assess whether your objection outweighs our legitimate grounds.
e) Right of access
You have the right to obtain confirmation as to whether we process your personal data, and if so, you have the right to:
• access your personal data;
• obtain information on the purposes of the processing, categories of data concerned, recipients or categories of recipients, the envisaged storage period or the criteria used to determine it, the rights you have under the GDPR, the right to lodge a complaint with a supervisory authority, the source of data (if not collected directly from you), the existence of automated decision-making, including profiling, and appropriate safeguards for data transfers outside the EU;
• receive a copy of your personal data.
f) Right to withdraw consent
Where processing is based on your consent, you may withdraw such consent at any time. Withdrawal of consent does not affect the lawfulness of processing prior to its withdrawal.
g) Right to data portability
You have the right to receive your personal data, which you have provided to us, in a structured, commonly used, and machine-readable format and to transmit those data to another controller of your choice. You also have the right to request that we transmit the data directly to such other controller, where technically feasible. We will provide your data in a widely used, machine-readable, portable file format.
h) Right to lodge a complaint
If you believe that the processing of your personal data infringes the GDPR or other applicable data protection laws, you have the right to lodge a complaint with the President of the Personal Data Protection Office.
2. If the Controller is unable to identify the person submitting a request based on the information provided, the applicant will be asked to provide additional information. A request may be submitted personally or through a representative (e.g., a family member).
3. For data security purposes, the Controller recommends the use of a power of attorney certified by a notary public or by an authorised legal adviser or attorney-at-law, which significantly expedites verification of its authenticity.
4. Responses will be provided in writing, unless the request was submitted by e-mail or unless the applicant requested an electronic response.
5. Response time – how quickly will your request be processed?
If you exercise any of the rights listed above and submit a corresponding request, we will grant or refuse such request without undue delay and no later than one month after its receipt. If the request is particularly complex or if we receive a large number of requests, this period may be extended by an additional two months. In such cases, you will be informed in advance of the extension and the reasons for the delay.
For technical reasons, we always require 24 hours to update your preferences in our systems. Therefore, you may still receive an e-mail message from us during the update process, even if you have opted out of such communications.
6. Submitting complaints, queries, and requests
You may submit complaints, enquiries, and requests relating to the processing of your personal data and the exercise of your rights under the GDPR.
VII. PROFILING
Within the Service, we may automatically tailor certain content to your individual needs, i.e. carry out profiling using the personal data you have provided. Before we conduct profiling that:
a) produces legal effects concerning you, or
b) similarly significantly affects you,
we will first obtain your explicit consent. You may withdraw such consent at any time. Processing carried out prior to withdrawal remains lawful.
Your personal data may be used for profiling purposes. Profiling conducted by the Controller involves processing such data (including by automated means) to assess certain personal aspects, in particular to analyse or predict your preferences and interests in relation to the Controller’s offering.