Privacy Policy
Rules on processing personal data on the speedpack.ie website
Effective from: 01.01.2024
PRIVACY POLICY OF THE SPEEDPACK.IE WEBSITE
- GENERAL PROVISIONS
- LEGAL BASIS FOR DATA PROCESSING
- PURPOSE, BASIS, PERIOD AND SCOPE OF DATA PROCESSING ON THE WEBSITE
- DATA RECIPIENTS ON THE WEBSITE
- PROFILING ON THE WEBSITE
- RIGHTS OF THE DATA SUBJECT
- COOKIES ON THE WEBSITE, USAGE DATA AND ANALYTICS
- FINAL PROVISIONS.
1) GENERAL PROVISIONS
- This privacy policy of the Website is informational in nature, which means it is not a source of obligations for the Website’s Service Recipients or Customers. The privacy policy primarily sets out the rules on the processing of personal data by the Controller on the Website, including the basis, purposes and scope of personal data processing and the rights of data subjects, as well as information on the use of cookies and analytics tools on the Website.
- The controller of personal data collected via the Website is Krzysztof Kwiatkowski, conducting business under the name Speedpack, registered with the Companies Registration Office Ireland under number 429839, with a place of business and address for correspondence at: DMG House, Deansgrange Business Park, Kill Lane, Deansgrange, Blackrock, Co Dublin, Ireland, email address: kontakt@speedpack.com.pl – hereinafter the “Controller”, who is also the Service Provider of the Website and the Seller.
- Personal data on the Website is processed by the Controller in accordance with applicable law, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – hereinafter the “GDPR”. Official text of the GDPR: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679
- Using the Website, including entering into contracts, is voluntary. Similarly, the provision of personal data by a Service Recipient or Customer using the Website is voluntary, subject to two exceptions: (1) entering into contracts with the Controller – failing to provide the personal data necessary to conclude and perform a transport contract, a service contract or an Electronic Service contract with the Controller, in the cases and to the extent indicated on the Website, in the Website Terms & Conditions and in this privacy policy, results in the inability to conclude that contract. In such a case, providing personal data is a contractual requirement, and if the data subject wishes to enter into the given contract with the Controller, they are obliged to provide the required data. The scope of data required to conclude a contract is each time indicated in advance on the Website and in the Website Terms & Conditions; (2) the Controller’s statutory obligations – providing personal data is a statutory requirement arising from generally applicable law that obliges the Controller to process personal data (e.g. processing data for the purpose of keeping tax or accounting records), and failure to provide it will prevent the Controller from fulfilling those obligations.
- The Controller takes particular care to protect the interests of data subjects, and in particular is responsible for and ensures that the data it collects is: (1) processed lawfully; (2) collected for specified, legitimate purposes and not further processed in a manner incompatible with those purposes; (3) accurate and adequate in relation to the purposes for which it is processed; (4) kept in a form that permits identification of data subjects for no longer than is necessary to achieve the purpose of processing; and (5) processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures.
- Taking into account the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity to the rights and freedoms of natural persons, the Controller implements appropriate technical and organisational measures to ensure that processing is carried out in accordance with the GDPR and to be able to demonstrate this. These measures are reviewed and updated as necessary. The Controller applies technical measures to prevent the acquisition and modification of personal data transmitted electronically by unauthorised persons.
- All words, expressions and acronyms used in this privacy policy and beginning with a capital letter (e.g. Service Provider, Website, Electronic Service) should be understood in accordance with their definitions set out in the Website Terms & Conditions available on the Website.
2) LEGAL BASIS FOR DATA PROCESSING
- The Controller is entitled to process personal data where – and to the extent that – at least one of the following conditions is met: (1) the data subject has consented to the processing of their personal data for one or more specific purposes; (2) processing is necessary for the performance of a contract to which the data subject is party, or to take steps at the data subject’s request prior to entering into a contract; (3) processing is necessary to comply with a legal obligation to which the Controller is subject; or (4) processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
- Each instance of personal data processing by the Controller requires at least one of the bases set out in point 2.1 of the privacy policy. The specific bases for the processing of the personal data of the Website’s Service Recipients and Customers by the Controller are set out in the next section of the privacy policy – in relation to the given purpose of processing.
3) PURPOSE, BASIS, PERIOD AND SCOPE OF DATA PROCESSING ON THE WEBSITE
- In each case, the purpose, basis, period and scope, as well as the recipients of personal data processed by the Controller, result from the actions taken by the given Service Recipient or Customer on the Website.
- The Controller may process personal data on the Website for the following purposes, on the following bases, for the following periods and to the following extent:
Purpose of processing Legal basis for processing and data retention period Legal basis for processing and data retention period Performance of a contract or taking steps at the data subject’s request before entering into a contract Article 6(1)(b) GDPR (performance of a contract) Data is stored for the period necessary to perform, terminate or otherwise expire the concluded contract. Maximum scope: first and last name; email address; contact phone number; delivery address (street, house number, flat number, postcode, town, country), address of residence/business/registered office (if different from the delivery address). For Service Recipients or Customers who are not consumers, the Controller may additionally process the company name and the tax identification number (VAT/Tax number) of the Service Recipient or Customer. The scope indicated is the maximum – for example, in the case of personal collection, providing a delivery address is not necessary. Direct marketing Article 6(1)(f) GDPR (legitimate interest of the controller) Data is stored for the period during which the Controller’s legitimate interest exists, but no longer than the limitation period for claims against the data subject in connection with the Controller’s business activity. The limitation period is determined by applicable law (under the Irish Statute of Limitations the general limitation period for contract claims is six years). The Controller may not process data for direct marketing purposes where the data subject has effectively objected to such processing. Email address Marketing Article 6(1)(a) GDPR (consent) Data is stored until the data subject withdraws consent to further processing of their data for this purpose. First name, email address Keeping accounting/tax records Article 6(1)(c) GDPR Data is stored for the period required by the applicable law obliging the Controller to keep accounting/tax records First and last name; address of residence/business/registered office (if different from the delivery address), company name and tax identification number (VAT/Tax number) of the Service Recipient or Customer Establishing, pursuing or defending claims that the Controller may raise or that may be raised against the Controller Article 6(1)(f) GDPR Data is stored for the period during which the Controller’s legitimate interest exists, but no longer than the limitation period for claims against the data subject in connection with the Controller’s business activity. The limitation period is determined by applicable law (under the Irish Statute of Limitations the general limitation period for contract claims is six years). First and last name; contact phone number; email address; delivery address (street, house number, flat number, postcode, town, country), address of residence/business/registered office (if different from the delivery address). For Service Recipients or Customers who are not consumers, the Controller may additionally process the company name and the tax identification number (VAT/Tax number) of the Service Recipient or Customer.
4) DATA RECIPIENTS ON THE WEBSITE
- For the proper functioning of the Website, the Controller needs to use the services of third parties (such as a software provider, courier or payment processor). The Controller uses only such processors who provide sufficient guarantees to implement appropriate technical and organisational measures so that processing meets the requirements of the GDPR and protects the rights of data subjects.
- The Controller does not transfer data in every case and not to all recipients or categories of recipients indicated in the privacy policy – the Controller transfers data only where necessary to achieve the given purpose of processing and only to the extent necessary to achieve it.
- The personal data of the Website’s Service Recipients and Customers may be transferred to the following recipients or categories of recipients:
- carriers – where a Customer uses the Website to have a shipment delivered via an external courier company, the Controller shares the Customer’s collected personal data with the selected carrier, freight forwarder or intermediary handling shipments on the Controller’s behalf, to the extent necessary to deliver the Product to the Customer.
- electronic or card payment processors – where a Customer uses an electronic or card payment method on the Website, the Controller shares the Customer’s collected personal data with the selected entity handling those payments on the Controller’s behalf, to the extent necessary to process the payment made by the Customer.
- service providers supplying the Controller with technical, IT and organisational solutions enabling the Controller to conduct business, including the Website and the Electronic Services provided through it (in particular providers of software for running the Website, email and hosting providers, and providers of business management software and technical support to the Controller) – the Controller shares the Customer’s collected personal data with the selected provider acting on its behalf only where, and to the extent, necessary to achieve the given purpose of processing in accordance with this privacy policy.
- accounting, legal and advisory service providers giving the Controller accounting, legal or advisory support (in particular an accounting office, a law firm or a debt collection company) – the Controller shares the Customer’s collected personal data with the selected provider acting on its behalf only where, and to the extent, necessary to achieve the given purpose of processing in accordance with this privacy policy.
5) PROFILING ON THE WEBSITE
- The GDPR obliges the Controller to provide information about automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR, and – at least in those cases – meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. With this in mind, the Controller provides information in this section of the privacy policy regarding possible profiling.
- The Controller may use profiling on the Website for direct marketing purposes, but decisions made by the Controller on this basis do not concern the conclusion or refusal to conclude a contract, or the ability to use the Electronic Services on the Website.
- Profiling on the Website consists of the automatic analysis or prediction of a person’s behaviour on the Website, or analysis of their past activity on the Website. A condition of such profiling is that the Controller holds the person’s personal data so as to be able to send them, for example, a discount code.
- The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
6) RIGHTS OF THE DATA SUBJECT
- Right of access, rectification, restriction, erasure or portability – the data subject has the right to request from the Controller access to their personal data, its rectification, erasure (“right to be forgotten”) or restriction of processing, and has the right to object to processing, as well as the right to data portability. Detailed conditions for exercising the above rights are set out in Articles 15–21 GDPR.
- Right to withdraw consent at any time – a person whose data is processed by the Controller on the basis of consent (under Article 6(1)(a) or Article 9(2)(a) GDPR) has the right to withdraw consent at any time without affecting the lawfulness of processing carried out on the basis of consent before its withdrawal.
- Right to lodge a complaint with a supervisory authority – a person whose data is processed by the Controller has the right to lodge a complaint with a supervisory authority in the manner and procedure set out in the GDPR and Irish law, in particular the Data Protection Act 2018. The supervisory authority in Ireland is the Data Protection Commission (DPC), www.dataprotection.ie.
- Right to object – the data subject has the right to object at any time – on grounds relating to their particular situation – to the processing of their personal data based on Article 6(1)(e) (public interest or task) or (f) (legitimate interest of the controller), including profiling based on those provisions. In such a case the Controller may no longer process that personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or grounds for the establishment, exercise or defence of legal claims.
- Right to object regarding direct marketing – where personal data is processed for direct marketing purposes, the data subject has the right to object at any time to the processing of their personal data for such marketing, including profiling, to the extent that the processing relates to such direct marketing.
- To exercise the rights referred to in this section of the privacy policy, you can contact the Controller by sending a relevant message in writing or by email to the Controller’s address indicated at the beginning of the privacy policy, or using the contact form available on the Website.
7) COOKIES ON THE WEBSITE, USAGE DATA AND ANALYTICS
- Cookies are small text-based pieces of information sent by the server and saved on the device of the person visiting the Website (e.g. on the hard drive of a computer or laptop, or on the memory card of a smartphone – depending on the device used by the visitor). Detailed information about cookies, as well as their history, can be found, among others, here: http://en.wikipedia.org/wiki/HTTP_cookie.
- The Controller may process data contained in cookies when visitors use the Website for the following purposes:
- identifying Service Recipients as logged in to the Website and showing that they are logged in;
- remembering Products added to the cart in order to place an Order;
- remembering data from completed Order Forms and Website login data;
- keeping anonymous statistics on how the Website is used;
- By default, most web browsers available on the market accept the saving of cookies. Everyone can set the conditions for using cookies via their own browser settings. This means you can, for example, partially restrict (e.g. temporarily) or completely disable the saving of cookies – in the latter case, however, this may affect some functionalities of the Website.
- Browser settings regarding cookies are relevant to consent to the use of cookies by our Website – under the law, such consent may also be expressed through browser settings. If you do not wish to give such consent, you should change your browser’s cookie settings accordingly.
- Detailed information on changing cookie settings and deleting cookies yourself in the most popular web browsers is available in the browser’s help section and on the pages below (just click the relevant link):
- The Controller may use Google Analytics and Universal Analytics on the Website, provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). These services help the Controller analyse traffic on the Website. The collected data is processed within these services in an anonymised manner (this is so-called usage data, which does not allow identification of a person) to generate statistics helpful in administering the Website. This data is aggregated and anonymous, i.e. it does not contain identifying features (personal data) of the persons visiting the Website. Using these services on the Website, the Controller collects data such as the sources and medium of acquiring Website visitors and their behaviour on the Website, information about the devices and browsers used to visit the site, IP and domain, geographic data and demographic data (age, gender) and interests.
- A person can easily block the sharing of information about their activity on the Website with Google Analytics – to do so, you can install the browser add-on provided by Google Inc., available here: https://tools.google.com/dlpage/gaoptout?hl=en.
8) FINAL PROVISIONS
- The Website may contain links to other websites. The Controller encourages you, after going to other sites, to read the privacy policy established there. This privacy policy applies only to the Controller’s Website.