THE PRIVACY POLICY WITH THE UK GDPR (THE UNITED KINGDOM GENERAL DATA PROTECTION REGULATION) INFORMATION CLAUSE

This Privacy Policy that can be found under the “Privacy Policy” section on the website, outlines the terms for the processing and the protection of customers’ personal data as well as the conditions for storing and accessing information by using cookies stored on devices of users of the www.on-top.com website.
This Privacy Policy is being applied when you are using the website administrator’s services, meaning you are using the website by contacting the website administrator. For example:
a) You are contacting the administrator via e-mail or by using the form which is available on the website.
b) You are receiving messages from the administrator via e-mail or by phone.

I. TERMS EXPLAINED

1. Administrator - Person responsible for customers. Personal data - ON-TOP LEWANDOWSKI LIMITED based in Grays, Felicia Way, Company number 11413621. Which was entered into the Register by executive agency Companies House sponsored by Department of Business,  Energy & Industrial Strategy. Contact e-mail address: office@on-top.com.
2. Cookies - IT data, in particular, text files saved and stored on customers’ devices used for accessing the website.
3. Customer - Any person using the website or contacting the administrator.
4. Website - Any page controlled by the administrator such as www.on-top.com.
5. Device - Any electronic equipment used by customers to access the website.
6. UK GDPR - The United Kingdom General Data Protection Regulation of the European Union 2016/679 introduced on the 27th of April 2016.

II. THE GENERAL DATA PROTECTION

1. The website administrator is processing customers’ personal data such as name, date of birth, e-mail address, postal address, chosen password, company name and details, telephone number, order history, and any additional information used to easily access the website.
2. The website administrator uses customers’ personal data to provide customers with the administrator’s services such as account registration, purchase and sell of goods, processing returns, and for receiving and sending messages via e-mail regarding the process or any information related to the agreement or to its conclusion.
3. The legal basis for data processing is the necessary processing for the performance of the agreement or to act on behalf of the data subject before the agreement conclusion (Article 6 (1) (b) of the UK GDPR) and on the legal basis on certain law regulations that allow the administrator for the data processing to fulfil a legal obligation- such as accounting and tax regulations (Article 6 (1) (c) of the UK GDPR).
4. The website administrator uses personal data to contact the customers via e-mail, to improve website services, to inform about any changes and to give answers, explanations, and information. The legal basis for data processing is the necessary processing for the purpose of the administrator legitimate interest (Article 6 (1) (f) of the UK GDPR).
5. The website administrator sends advertising information in the form of a newsletter to the e-mail address and/or telephone number provided by the customers only after getting their consent. The legal basis for data processing is the customers’ consent (Article 6 (1) (a) of the UK GDPR). The customers can unsubscribe from receiving the newsletter at any moment by changing the account settings. The withdrawal of the consent does not affect the lawfulness of data processing which was carried out before the consent withdrawal.
6. The website administrator only requires the customers to provide personal data that is necessary for the performance of the agreement- providing services, the sale of goods and replying to the messages. The website administrator will be unable to perform the agreement or to provide answers if customers do not provide the necessary information. Providing personal data by the customers is voluntary except in the cases mentioned above.
7. The website administrator is entrusting customers’ personal data for processing to the service providers that perform specific duties and functions on behalf of the administrator. The administrator entrusts customers personal data to service providers for:
a) The provision of IT services.
b) The support of the website.
c) The provision of the services related to storing personal data.
d) The processing of the payments.
e) The provision of accounting services.
f)  The provision of courier services.
The administrator entrusts only data to the services providers mentioned above that is necessary for the correct performance of the services for or on behalf of the administrator. In the case of data processing, the administrator ensures that the service provider processes the data in compliance with the safety requirements and makes sure that the data will not be used for any purposes other than the provision of services for or on behalf of the administrator.
8. In the case where the customer makes a purchase via the website, the administrator provides the seller with access to the customer’s personal data given upon the account registration and completion of the purchase necessary for the performance of the agreement for the sale of goods between the seller and the customer, such as name, e-mail address, telephone number, order details and any additional note written by the customer. The processing of the personal data is necessary for the performance of the agreement with the seller (the legal basis for data processing by the seller under Article 6 (1) (b) of the UK GDPR).
9. The website administrator does not provide personal data to any person other than the service providers mentioned above, unless in the cases where it is necessary due to the legal regulations or the authorities’ decision as well as in the case where it is necessary to establish, perform or defend the administrator’s rights.
10. The administrator may provide personal data outside the European Union. Especially in the case of the sale of goods by the sellers from outside the European Union under adequate protection on the legal basis of the UK GDPR. In that case, the administrator must fulfil at least one of the following conditions:
a) The European Union accepts the data protection measures applied in the destination country that is not an EU member.
b) The administrator ensures that the appropriate protection is in place by including certain clauses in the agreement with any person from outside the European Union.
11. The administrator processes the customers personal data only for the necessary period for the appropriate performance of the agreement such as completion of the agreement, provision of the services and the pursuit of the claims made in connection to the performance of the agreement and only to the required extent.
12. In order to provide the appropriate level of security for the processed personal data, the administrator ensures that adequate technical and organisational measures are put in place.
13. The customers can access their personal data as well as request to provide a copy of their data information that is being processed by the administrator.
14. The customers can also change their personal data in the case where the details are incomplete, out of date or incorrect.
15. The customers can object to the processing of their personal data by the administrator.
The “marketing” objection - The customers can object to the processing of their personal data for purposes of direct marketing.
The objection regarding the certain matter- The customers can object to the processing of their personal data on the basis of the legal interest for the purposes other than direct marketing as well as when the processing of their personal data is required by the administrator to perform an activity in the public interest. The customers have to indicate a certain matter which explains the objection to the processing of the personal data by the administrator. In this case, the administrator will not process customers’ personal data, unless he will prove that the processing of the personal data is required or he needs them to establish, investigate or defend claims.
16. The customers can request to restrict the processing of their personal data by the administrator.
17. The customers can also request to delete their personal data.
18. In addition, the customers can transfer their personal data to any indicated person.
19. The customers can make a complaint about the protection of the personal data to the relevant authority: Information Commissioner Office (ICO), website: www.gov.uk/data-protection.
20. The administrator does not profile the data and does not automatically collect any information except the information included in cookie files upon customers’ consent.
21. The website may show links to other pages. These pages are independent and are not controlled by the website administrator. We recommend checking individual Privacy Policies and terms and conditions on other websites.