With due regard to the right to privacy, this Privacy Policy sets out the rules for the processing of personal data by HOLA DESIGN Spółka z ograniczoną odpowiedzialnością, with its registered office in Warsaw, at ul. Ludwika Rydygiera 18 lok. 2, 01-793 Warsaw, entered into the Register of Entrepreneurs of the National Court Register maintained by the District Court for the Capital City of Warsaw in Warsaw, 14th Commercial Division of the National Court Register, under KRS No.: 0001174677, NIP: 5253047448 (hereinafter referred to as the “Controller”), in accordance with the requirements arising from national and European law, including in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the “GDPR”).
Accordingly, we inform you about the methods of processing the personal data of users of the website available at: https://hola-design.pl/, in connection with the Controller’s business operations, website management, provision of services, business relations, and communication with users.
This Policy explains what personal data is collected, what rights users have in relation to the processing of personal data, how such data may be used, processed, disclosed, and how it is protected.
The protection of personal data is an important aspect of our business activity. Therefore, the Controller makes every effort to process personal data in a safe and professional manner.
The controller of personal data (i.e. the entity deciding on the purposes and means of processing personal data) is:
HOLA DESIGN Spółka z ograniczoną odpowiedzialnością
Rydygiera 18/2
Warsaw, Poland
KRS: 0001174677
VAT ID: PL5253047448
You may contact the Controller:
This Privacy Policy regulates the cases in which the Controller processes users’ personal data — obtained directly from the data subject or acquired from other sources (in particular from the entity represented by the data subject, from publicly available registers such as CEIDG or KRS, as well as from websites).
Regardless of the above, the Controller fulfils the information obligations referred to in Article 13 or Article 14 of the GDPR.
Personal data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to a name and surname, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
The type of personal data collected and processed depends on the relationship with the Controller and the type of services provided. The following data may be collected:
Personal data may be collected in various ways, including:
Personal data is processed for various purposes. Depending on the purpose, different methods of data collection, legal bases, and retention periods may apply.
Personal data may be processed for the purpose of concluding and performing a contract:
Use of the services offered by the Controller involves the processing of personal data for the following purposes:
Personal data provided in the contact form will be processed for the purpose of correspondence and handling your enquiry or request.
The legal basis is the Controller’s legitimate interest under Article 6(1)(f) GDPR, consisting in contact with a current or potential client and responding to an enquiry or request.
Retention period: no longer than 3 years from the end of contact or until an effective objection is raised.
If you send correspondence to the Controller in traditional written form, by e-mail, or contact the Controller by telephone, and such contact is not related to the provision of services or the performance of a contract, your personal data will be processed in order to handle your request or enquiry.
Processing is based on the Controller’s legitimate interest under Article 6(1)(f) GDPR, consisting in conducting correspondence, maintaining contact, and handling requests or enquiries connected with its business activity.
The Controller may request personal data necessary to handle your enquiry. Providing personal data is voluntary, but necessary to process the request.
Retention period: no longer than 3 years from the end of contact or until an effective objection is raised.
If contact is related to a contract concluded by the Controller’s contractor or to activities related to its conclusion and performance, personal data is processed for the purpose of performing the contract, taking steps prior to the conclusion of the contract at the request of the data subject, or on the basis of the Controller’s legitimate interest consisting in protecting its rights and defending or pursuing claims, pursuant to Article 6(1)(b) and (f) GDPR, and, where applicable, on the basis of consent pursuant to Article 6(1)(a) GDPR.
If the contact is not related to the conclusion or performance of a contract, the personal data provided will be processed in order to handle the request or enquiry, on the basis of the Controller’s legitimate interest under Article 6(1)(f) GDPR, consisting in handling requests and enquiries in connection with its business activity.
The Controller may request data necessary to handle the enquiry. Providing personal data is voluntary, but necessary to process the request.
Retention period: for the duration of the cooperation and until the limitation period for claims expires.
If an application, complaint, or claim is submitted, personal data will be processed for the purpose of handling and resolving the submission, as well as to comply with the legal obligations binding on the Controller, and on the basis of the Controller’s legitimate interest pursuant to Article 6(1)(c) and (f) GDPR, consisting in handling requests, complaints, and claims in connection with its business activity and ensuring the proper handling and resolution process.
The Controller may request data necessary to handle the submission. Providing personal data is voluntary, but necessary for handling the matter.
Where consent has been given, personal data will be processed for the purpose of sending commercial information, offers, promotional materials, newsletters, as well as direct marketing by correspondence and telephone.
Processing is based on your consent and on the Controller’s legitimate interest consisting in the direct marketing of its own products and services, pursuant to Article 6(1)(a) and (f) GDPR.
Retention period: until consent is withdrawn or until an effective objection is raised.
Personal data may also be processed where necessary to comply with a legal obligation binding on the Controller, including obligations arising from generally applicable law, tax and accounting obligations, bookkeeping and financial reporting, issuing VAT invoices, fulfilling information obligations, etc., pursuant to Article 6(1)(c) GDPR.
Personal data may also be processed on the basis of the Controller’s legitimate interest for analytical and statistical purposes, satisfaction and preference surveys, and activities related to improving effectiveness, service quality, and adapting services to clients’ needs, pursuant to Article 6(1)(f) GDPR.
Retention period: for the period required by law.
In view of the need to ensure the security of processed personal data, the Controller has implemented internal rules and standards concerning the handling and processing of personal data, including measures intended to limit the number of persons with access to such data and to ensure an appropriate level of protection.
The Controller undertakes legal, technical, and organisational measures and implements appropriate procedures to ensure the confidentiality and integrity of processed personal data.
Personal data may be disclosed to entities cooperating with the Controller, subject to applicable procedures and security rules for personal data processing.
In order to provide services at the highest level, the Controller may share certain information and data internally or with third parties. In addition, disclosure of data may be required by generally applicable law — in such cases, the Controller will disclose data where necessary to comply with a legal obligation.
Your personal data may be disclosed to entities whose services are used by the Controller, including:
The Controller may share data stored in cookies with trusted partners in order to assess the attractiveness of advertisements and services and to improve the quality and effectiveness of services. The sharing of data stored in cookies depends on consent. Detailed information on cookies and on data processing on the Controller’s website can be found in the Cookie Policy.
As a rule, data is not transferred outside the European Economic Area (EEA). However, data may be transferred outside the EEA — in particular to Google LLC, based in Mountain View, United States, in connection with the use of electronic mail systems. The Controller may also store personal data in a location subject to a different jurisdiction than your place of residence or registered office.
Any transfer of data outside the EEA, for example to the United States, takes place only where the receiving entity ensures an adequate level of data protection, for example on the basis of a decision of the European Commission or on the basis of standard contractual clauses requiring an appropriate level of personal data protection.
The retention period means the period during which the Controller may process personal data. This period depends on the legal basis for processing.
The Controller will not process personal data for longer than is justified by the applicable legal basis. Data will be processed only to the extent necessary for the performance of the Controller’s obligations, for the period necessary to achieve the purposes for which the data was collected, and in accordance with internal procedures and generally applicable law.
After the end of the processing period, the Controller will take the steps required by law to delete the data from systems and registers or anonymise it.
Accordingly, where data is processed by the Controller:
The above retention periods may be extended by the time necessary to defend or pursue claims. After that period, the personal data will be deleted or anonymised.
After consent is withdrawn or an objection is raised, personal data may still be stored for the purpose of demonstrating compliance with legal obligations or until the expiry of the limitation period for claims, whichever is longer.
A person whose personal data is processed has the following rights:
To exercise the above rights, please contact the Controller:
Providing personal data for the purpose of handling a request or enquiry, regardless of the form in which it is submitted, is voluntary, but necessary for handling the matter and providing a response. Failure to provide the required data, including contact details, will make it impossible to handle and process the request.
Providing the data indicated in the contact form as mandatory is necessary in order to handle the enquiry and provide a response. Failure to provide such data will make it impossible to submit the enquiry.
Providing data in connection with the conclusion, performance, and execution of a contract is voluntary, but necessary for the proper provision of the service and performance of the contract. Failure to provide such data will make it impossible to conclude a contract with the Controller.
The Controller may require the provision of data where necessary to fulfil legal obligations. In such cases, providing the data is mandatory, and failure to do so will prevent the Controller from performing the required actions.
Providing data necessary for sending commercial information, offers, promotional materials, newsletters, as well as marketing by correspondence and telephone, is voluntary, but necessary in order to send such information in the intended forms. Failure to provide such data will make it impossible to send the above information.
Information collected by the Controller in connection with the use of the website and services may be processed in an automated manner. The Controller may use analytical and marketing tools in order to tailor content and advertisements. Such processing does not lead to decisions producing legal effects concerning you or similarly significantly affecting your situation.
Where targeting and profiling are carried out by the Controller’s partners, i.e. automated processing of personal data involving, among other things, the use of personal data to analyse or predict personal preferences, location, behaviour, etc., partners’ cookies are used. Such processing therefore requires consent, which may be withdrawn at any time, without affecting the lawfulness of processing carried out before the withdrawal.
Detailed information regarding cookies, including their types, methods of use, and management, is provided in a separate document: Cookie Policy, available on the Controller’s website.
This Privacy Policy may be updated from time to time, in particular in the event of organisational, technological, or legal changes. The Controller recommends reviewing the Privacy Policy regularly in order to remain informed about the current content of this document.
The current version of the document is published on the website in the “Documentation” section.