OBLIGATION TO PROTECT PERSONAL DATA UNDER THE GDPR IN Czatsy.com

Version 1.2 from March 19th, 2024 as third initial version during starting of Czatsy.com by DigiLand company, Poland  (“the Company) – the operator of Czatsy.com, with support of AISOT Sp. z o.o. (Ltd.) company, Poland (including “the Company” for all products in the category “Colourbook”all SKU 4-xxx).
Data od both above bodies of the Company are provided in Terms of Use and also below in this text.

The Company is the Processor of personal data collected by Czatsy.com website within the meaning of this document.

  • 1 [OBLIGATION TO PROTECT PERSONAL DATA UNDER THE GDPR FOR ENTITIES WHOSE INFRASTRUCTURE CZATSY.COM USES]

The Company uses the infrastructure of a secure datacenter Nazwa.pl, Poland and intermediary secure servers of Google LLC, USA and OpenAI LLC, Ireland. Due to the separate provisions of the GDPR regarding the provision of IT services in the European Union –  technology companies Nazwa.pl, Poland, Google LLC, USA and OpenAI LLC, Ireland – process data in a secure manner in compliance with the principles of the GDPR, which means that the Customer’s data sent by e-mail by Czatsy.com in correspondence with the Customer are protected in accordance with the GDPR.

  • 2 [GDPR PLUS MINIMUM MEDIUM AML RISK SITUATIONS]
  1. For most produsts the administrator of the customer’s personal data is the individual person of Company’s manager and owner Mariusz Sperczynski, i.e.:

DigiLand Co.., Warsaw, Poland,

Mariusz Sperczynski

Address: 37 Mickiewicza Str. Office no. 58

City:Warsaw

Post code: 01-625

Country:Poland / EU

Tax Identification Number 957-000-84-40

running for the role of such Administrator for Czatsy.com,

 

where the Company is:

DigiLand Co.., Warsaw, Poland,

Address: 37 Mickiewicza Str. Office no. 58

City:Warsaw

Post code: 01-625

Country:Poland / EU

Tax Identification Number 957-000-84-40

2. For produsts in the category “Colourbook” all SKU 4-xxx-  the administrator of the customer’s personal data is the CEO and 95%-shares owner Olexandr Latushkin of the comoany AISOT Sp. z o.o. (Ltd,) , i.e.:

AISOT Spółka z ograniczoną odpowiedzialnością (Ltd.) with its registered office in Warsaw, ul. ALEJA WINCENTEGO WITOS No. 31 lok. 14, 00-710 WARSAW, POLAND, entered into the register of entrepreneurs kept by the DISTRICT COURT FOR THE CAPITAL CITY OF WARSAW, 13TH COMMERCIAL DEPARTMENT OF THE NATIONAL COURT REGISTER under KRS number 0001094913, with share capital of PLN 5,000.00, with tax identification number NIP: 5214061817

running for the role of such Administrator for Czatsy.com for all products in the category “Colourbook”,

 

where for all products in the category “Colourbook”the Company is:

AISOT Spółka z ograniczoną odpowiedzialnością (Ltd.) with its registered office in Warsaw, ul. ALEJA WINCENTEGO WITOS No. 31 lok. 14, 00-710 WARSAW, POLAND, entered into the register of entrepreneurs kept by the DISTRICT COURT FOR THE CAPITAL CITY OF WARSAW, 13TH COMMERCIAL DEPARTMENT OF THE NATIONAL COURT REGISTER under KRS number 0001094913, with share capital of PLN 5,000.00, with tax identification number NIP: 5214061817

(II.) Purposes and legal bases for the processing of personal data.

    1. The Company processes personal data (personal data of Customers) for purposes related to the provision by Czatsy.com of the services indicated in this document. The above also includes the processing of personal data related to communication between Czatsy.com and Customers, to the extent that it is related to the purposes referred to in the first sentence, in particular to send customers information about the submitted order and its execution. The above also includes the processing of personal data related to the service process, directed by the Customer by e-mail or telephone, as well as via the contact form of any applications. Czatsy.com processes this personal data on the basis of article 6(1)(f) of the GDPR law, i.e. due to the fact that the processing of this data is necessary for the purposes resulting from the legitimate interests pursued by the Administrator, i.e. the proper performance of services provided by Czatsy.com  and its agents, including communication with the Customer in connection with the provision of services. In the scope related to handling the complaint handling process, Czatsy.com processes this personal data also on the basis of Article 6(1)(c) of the GDPR Regulation, because the processing of this data is necessary to fulfill the legal obligation incumbent on the Administrator, i.e. the obligation to consider complaints and keep documentation related to this process.
    2. Czatsy.com  processes Customers’ personal data related to the provision of services also in order to possibly pursue claims related to non-performance or improper performance of obligations related to the contract for the performance of services, e.g. for the performance and/or non-performance or improper performance of the service.  Czatsy.com processes this personal data on the basis of art. 6 par. 1 lit. f) of the GDPR Regulation, i.e. due to the fact that the processing of this data is necessary for the purposes resulting from the legitimate interests pursued by the Administrator related to the pursuit of claims.
    3. Czatsy.com processes customers’ personal data related to the provision of services by its agents to the extent necessary to prevent fraud related to the exchange or payment services performed or the operation of a payment system and to investigate and detect such fraud by the competent authorities.  Czatsy.com processes this personal data on the basis of Article 6(1)(c), (d) and (f) of the GDPR Regulation, i.e. due to the fact that these processing is necessary to fulfill the legal obligation incumbent on the Administrator and is necessary to protect the interests of users of exchange and payment services, as well as is necessary for the purposes of the legitimate interests pursued by payment service providers.
    4. Czatsy.com processes Clients’ personal data related to the provision of exchange or payment services for purposes related to the performance of obligations arising from the provisions on counteracting money laundering and terrorist financing, in particular to identify and assess the risks associated with money laundering and terrorist financing, apply security measures including, among others, identification of the Customer and verification of his identity.  Czatsy.com  processes this personal data on the basis of Article 6(1)(c) of the GDPR Regulation in connection with the provisions on counteracting money laundering and terrorist financing, i.e. due to the fact that the processing is necessary to fulfill the legal obligation incumbent on the Administrator as an obliged institution within the meaning of the provisions on counteracting money laundering and terrorist financing.
    5. In addition, Czatsy.com processes Clients’ personal data for other, legally permissible, purposes directly or indirectly related to the purposes referred to in paragraphs 1-4, in particular for archival and statistical purposes, for purposes related to audits, management control, or for purposes related to consulting.  Czatsy.com processes this personal data on the basis of article 6(1)(f) of the GDPR Regulation, i.e. in order to achieve the legally justified purposes of the Administrator.
  1. Categories of personal data that are processed.
    Czatsy.com processes primarily personal data of Customers related to the provision of exchange or payment services, including in particular: name(s) and surname (surnames), correspondence address, e-mail address, payment account number, including bank accounts, other identifier of the payment instrument used, telephone number. In certain cases related to counteracting money laundering and terrorist financing – Czatsy.com also processes additional personal data related to the identification of the Client’s person and verification of their identity, which includes, in particular, address, citizenship, gov id number (or dates of birth – if no PESEL number has been assigned), series and number of the document confirming the Customer’s identity, address of residence. For communication purposes, Czatsy.com primarily processes names, telephone numbers, email addresses.
  2. Information about the categories of data recipients. The recipient of the data is understood as a natural or legal person, public authority, entity or other entity to which Czatsy.com discloses the personal data of customers, regardless of whether it is a third party. However, public authorities which may receive personal data in the context of a specific procedure in accordance with Union or Member State law are not considered to be recipients. In connection with the above, Czatsy.com informs about the following categories of recipients: Czatsy.com agents, i.e. entities acting in the name and on behalf  of Czatsy.com (NOTE – in the version currently in force in these Regulations, i.e. as at November 24th, 2023.  – Czatsy.com has only one agent Blockenomy obliged to comply with the rules of the GDPR on the basis of these Regulations to the extent indicated in the previous part of this document), payment institutions; other payment service providers, including the payment service provider, which makes available to the customer the payment instrument used by the customer; the data is made available to these recipients to the extent that the data must be provided to them in connection with the provision of exchange or payment services (point II.1), and to the extent that the data must be provided to them for the purposes referred to in points II.3 and II.4, as well as in other cases where these entities are entitled to obtain from Czatsy.com information, including information containing personal data; in particular, this includes banks and branches of foreign banks, credit institutions, electronic money institutions, payment institutions, credit, payment, virtual card operators; entities providing legal services related to the activities of Czatsy.com ; recipients of payments, for purposes related to the payment performed; entities providing IT services related to Czatsy.com activities, including hosting services; entities providing audit and other services related to controlling Czatsy.com activities; accountants and statutory auditors examining documents related to Czatsy.com  activities  ; entities related to Czatsy.com; other than the entities indicated above, which on the basis of legal provisions are entitled to obtain from Czatsy.com information related to Czatsy.com activities, which information may include personal data of Customers, including in particular supervisory authorities towards Czatsy.com, recipients may also be other entities if the Customer’s personal data are made available to them on the basis of the Customer’s consent indicating such another recipient.
  3. Information about the intention to transfer personal data to a third country or international organization.
    Czatsy.com does not intend to transfer Customers’ personal data to a third country (i.e. a country outside the European Economic Area) or to an international organization.
  4. The period for which personal data will be stored or the criteria for determining this period.
    1. Customers’ personal data processed for Czatsy.com  the purposes referred to in point II.1 will be processed for the period of providing the payment service and for a period of 13 months from the date of debiting the payment account in connection with the exchange or payment service performed or for a period of 13 months from the date on which the exchange or payment transaction was to be performed, and after the expiry of this period – for the period resulting from the provisions of law,  including the Payment Services Act and tax regulations. In particular, Czatsy.com explains that AML regulations additionally require a correspondingly longer data retention period.
    2. Customers’ personal data processed for the purpose referred to in point II.2 will be processed for the period referred to in the paragraph above, but not longer than for the period in which it is possible to pursue claims in court, i.e. until the expiry of the limitation period for claims. However, if the period referred to in this paragraph expires earlier than the period referred to in the first subparagraph, Czatsy.com will cease to process personal data for the purpose and to the extent referred to in this paragraph, but may still process Customers’ personal data for the purposes and to the extent referred to in the first subparagraph.
    3. Customers’ personal data processed for the purpose referred to in point II.3 will be processed for the period necessary to achieve these purposes, in particular taking into account the limitation periods for the criminal record of such crimes.
    4. Customers’ personal data processed for the purpose referred to in point II.4 will be processed for the period resulting from the provisions of the law on counteracting money laundering and terrorist financing, in particular information obtained as a result of applying security measures is stored for a period of 5 years, counting from the first day of the year following the year in which the transaction with the Customer was carried out,  and information on transactions carried out by obliged institutions and documents relating to transactions shall be kept for a period of 5 years from the first day of the year following the year in which the last record relating to the transaction was made.
    5. Personal data of customers processed for the purpose referred to in point II.5 will be processed for the period appropriate to the original purpose for which they were collected. However, if other data were collected as part of this purpose than as a result of the implementation of the purposes referred to in points II.1-II.4, these data will be processed for the period of providing the payment service and 10 years from its completion, but not longer than until the date of objection to such processing, if it is justified.
  5. Information on the obligatory or optionality of providing personal data. Providing the data referred to in point II.1 is a contractual, as well as statutory requirement and in the scope of the so-called AML financial security procedures, the Customer is obliged to provide them. In the case of financial security procedure, if not provided, Czatsy.com will not be able to accept the order or payment and provide services. Providing the data referred to in point II.2 is a contractual requirement in cases to ensure financial security and the Customer is obliged to provide them. Therefore, if they are not provided, Czatsy.com  will not accept an exchange or payment order and will not provide the service. Providing the data referred to in points II.3 and II.4 is a statutory requirement in cases of ensuring financial security and the Customer is then obliged to provide them. Therefore, if they are not provided, Czatsy.com will not accept an exchange or payment order and will not provide the service.
  6. Information about the rights of Customers.
    1. The Customer has the right to request from the Administrator access to their personal data, including to obtain a copy of the personal data subject to processing. The first copy is free of charge. For any subsequent copies requested by the Customer, the Administrator may charge a reasonable fee resulting from administrative costs.
    2. The Customer has the right to request the Administrator to rectify their personal data that are incorrect, in particular because they were collected with errors or because they have changed after collection. The above right also includes the completion of missing data.
    3. The Customer has the right to request the Administrator to delete their personal data, with the proviso that this right may be exercised in the cases specified in the Regulation, i.e. when one of the following circumstances occurs:
      1. personal data are no longer necessary for the purposes for which they were collected or otherwise processed, in particular if the period in which the Administrator planned or was obliged to process your data has already expired;
      2. the consent on which the data processing is based has been withdrawn, unless the Administrator has another legal basis for the processing;
  • an objection to the processing has been lodged and there are no overriding legitimate grounds for the processing;
  1. if the personal data have been processed unlawfully;
  2. where the personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the Controller is subject.

Czatsy.com may refuse to comply with a reasoned request for deletion referred to above in the cases provided for by law, in particular where further processing is necessary to comply with a legal obligation requiring processing under Union or Member State law, to establish, exercise or defend legal claims.


    1. The Customer has the right to request the Administrator to limit the processing of their personal data, under the conditions set out in the Regulation, i.e. when:
      1. The Customer disputes the correctness of personal data – for a period allowing the Administrator to check the correctness of these data;
      2. The processing is unlawful and the Customer objects to the deletion of the personal data, requesting instead the restriction of their use;
      3. Any legal controllers no longer need the personal data for the purposes of the processing, but they are needed by the customer to establish, exercise or defend claims;
      4. The Customer has objected to the processing – until it is determined whether the legitimate grounds on the part of the Administrator override the grounds for the Customer’s objection.

  1. The Customer has the right to object to the processing of their personal data by the Administrator in accordance with Article 21(1) of the Regulation, i.e. to object – for reasons related to a special situation – to the processing of their data based on Article 6(1)(e) or (f) of the Regulation, including profiling on the basis of these provisions. In the case of the Administrator, the above right to object applies to personal data processed for the purposes referred to in points II.2, II.3, II.5.. In the event of an objection, the Administrator may no longer process this personal data, unless he demonstrates the existence of compelling legitimate grounds for processing overriding the interests, rights and freedoms of the data subject or grounds for establishing, pursuing or defending claims. In particular, further processing of personal data despite the objection may result from the purposes referred to in points II.2 and II.3.
  1. The Customer has the right to object to the processing of their data by the Administrator in accordance with Article 21(2) of the Regulation, i.e. to object to the processing of their data for the purposes of such direct marketing, including profiling, to the extent that the processing is related to such direct marketing. In the event of exercising this right, the Administrator may no longer process the Customer’s data for the purposes of such direct marketing.
  2. The customer has the right to data portability. Therefore, the Customer has the right to receive in a structured, commonly used and machine-readable format his personal data that he has provided to the Administrator, and has the right to send this personal data to another administrator without hindrance from the Administrator. However, this right is vested in the Customer only in the scope of personal data that are processed on the basis of the Customer’s consent or on the basis of a contract, and in the scope of data the processing of which is carried out in an automated manner (in accordance with point IX. Czatsy.com does not process data in an automated manner). In exercising this right, the Customer may also request that his personal data be sent by the Administrator directly to another administrator, if it is technically possible.
  3. The Customer has the right to withdraw the consent referred to in point II.5 at any time. However, the withdrawal of consent does not affect the lawfulness of the processing that was carried out on the basis of consent before its withdrawal. In the event of withdrawal of consent, the Administrator ceases to process the customer’s personal data, which he processes only on the basis of consent. If the customer’s personal data are also processed on a basis other than this consent, the Administrator may continue to process them on this other basis – as long as it occurs.
  4. The customer has the right to lodge a complaint with the supervisory authority, i.e. one of the bodies established by individual EU Member States, whose task is to monitor the application of the Regulation. The supervisory authority competent for the territory of the Republic of Poland is the President of the Office for Personal Data Protection.
  1. Information about automated decision-making, including profiling. The Customer’s data will not be processed in an automated manner, including in the form of profiling.
  1. Processing of data for a purpose other than the purpose for which they were collected. Subject to point II.5 , Czatsy.com does not plan to further process Customers’ personal data for a purpose other than the purpose for which the personal data was collected.
  2. Sources of data origin. The Administrator obtains Customer data from Customers.

* Processing of personal data means an operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.** Personal data  means information about an identified or identifiable natural person (data subject); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a natural person.*** The payer is the person who intends to pay, as well as the person who has already paid,  through a payment agent cooperating with Czatsy.com – a specific monetary amount for the benefit of the payment recipient. In order to make this payment, the payer uses a payment instrument such as, for example, electronic banking or the payer’s card.**** The Merchant is the recipient of the payment from the Payer, for whom payment services are  provided  by the payment agent using the bank services.***** The GDPR Regulation (“Regulation”) is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in  in relation to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC****** Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor or persons who, under the authority of the controller or processor, may process personal data. Processor, on the other hand, means a natural or legal person, public authority, agency or other entity that processes personal data on behalf of the controller.