Change the language version
TABLE OF CONTENTS:
- GENERAL PROVISIONS
- BASIS FOR DATA PROCESSING
- PURPOSE, BASIS AND PERIOD OF DATA PROCESSING ON THE WEBSITE
- RECIPIENTS OF DATA ON THE WEBSITE
- PROFILING ON A WEBSITE
- RIGHTS OF THE DATA SUBJECT
- COOKIES ON THE WEBSITE AND ANALYTICS
- FINAL PROVISIONS
1) GENERAL PROVISIONS
- The Controller of personal data collected via the Website is ROUTE2OPEN SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ with its registered office in Leszno (registered office and correspondence address: Austriacka 4, 64-100 Leszno, Poland), entered in the register of entrepreneurs of the National Court Register under the KRS number 0000932849; the registration court, where the company’s documentation is kept: District Court Poznań-Nowe Miasto and Wilda in Poznań, VIII Commercial Division of the National Court Register; share capital amounting to: 5000,00 PLN; NIP 7831846387 , REGON 520458535, e-mail address: email@example.com – hereinafter referred to as “Controller” and being at the same time Service Provider on the Website.
- Personal data on the Website are processed by the Controller in accordance with the applicable legal provisions, in particular in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – hereinafter referred to as “RODO” or “RODO Regulation“. Official text of the RODO Regulation: http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELEX%3A32016R0679.
- The Controller shall take particular care to protect the interests of persons to whom the personal data the Controller processes relate, and in particular shall be responsible for and ensure that the data the Controller collects are (1) processed lawfully; (2) collected for specified, legitimate purposes and not subject to further processing incompatible with those purposes; (3) substantively correct and adequate in relation to the purposes for which they are processed; (4) kept in a form which permits identification of data subjects for no longer than is necessary to achieve the purpose of processing; and (5) processed in a manner which ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, by means of appropriate technical or organisational measures.
- Having regard to the nature, scope, context and purposes of the processing and the risk of violation of the rights or freedoms of natural persons of varying probability and gravity, the Controller shall implement appropriate technical and organisational measures to ensure that the processing is carried out in accordance with the RODO Regulation and to be able to demonstrate this. These measures shall be reviewed and updated as necessary. The Controller shall apply technical measures to prevent unauthorised persons from obtaining and modifying personal data transmitted electronically.
2) BASIS FOR DATA PROCESSING
- The Controller shall be entitled to process personal data where, and to the extent that, at least one of the following conditions is fulfilled: (1) the data subject has given his or her consent to the processing of his or her personal data for one or more specified purposes; (2) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (3) processing is necessary for compliance with a legal obligation to which the Controller is subject; or (4) processing is necessary for the purposes of legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
3) PURPOSE, BASIS AND PERIOD OF DATA PROCESSING ON THE WEBSITE
- In each case, the purpose, basis and period and recipients of the personal data processed by the Controller result from the activities undertaken by the person concerned on the Website.
- The Controller may process personal data on the Website for the following purposes, on the following basis and for the following period:
|Purpose of data processing||Legal basis for processing||Period of data retention|
|Use of Electronic Services and Digital Products available on the Website||Point (b) of Article 6(1) of the RODO Regulation (contract) – processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract.||The data shall be stored for the period necessary to perform, terminate or otherwise expire the contract concluded for the provision of the Electronic Service or the supply of the Digital Product.|
|Direct marketing||Point (f) of Article 6(1) of the RODO Regulation (legitimate interest of the Controller) – processing is necessary for the purposes deriving from the Controller’s legitimate interests – consisting of taking care of the interests and good image of the Controller, Website of the Controller and striving to provide services and sell access to Digital Products||The data shall be stored for the period of existence of a legitimate interest pursued by the Controller, however, not longer than the period of limitation of the Controller’s claims against the data subject on account of the Controller’s business activities. The period of limitation shall be determined by law, in particular the Civil Code (the basic limitation period for claims related to business activities is three years). The controller is not allowed to process data for direct marketing purposes if the data subject expresses an effective objection in this respect.|
|Bookkeeping||Point (c) of Article 6(1) of the RODO Regulation (legal obligation) in connection with Article 74 sec. 2 of the Accounting Act, consolidated text of 30 January 2018 (Journal of Laws of 2018, item 395 as amended) – processing is necessary to fulfil a legal obligation incumbent on the Controller||The data is kept for the period required by the law requiring the Administrator to store accounting books (5 years, counting from the beginning of the year following the financial year to which the data refers).|
|Determining, pursuing or defending claims that may be raised by the Administrator or which may be raised against the Administrator||Point (f) of Article 6(1) of the RODO Regulation (legitimate interest of the Controller) – processing is necessary for the purposes deriving from the Controller’s legitimate interests – consisting of determining, asserting or defending claims which the Controller may raise or which may be raised against the Controller||The data shall be stored for the period of existence of the legally justified interest pursued by the Controller, however no longer than for the period of limitation of claims that may be raised against the Controller (the basic limitation period for claims against the Controller is six years).|
|Using the Website and ensuring that it works properly||Point (f) of Article 6(1) of the RODO Regulation (legitimate interest of the Controller) – processing is necessary for the purposes deriving from the Controller’s legitimate interests – consisting in running and maintaining the Website||The data shall be stored for the period of existence of a legitimate interest pursued by the Controller, however, not longer than the period of limitation of the Controller’s claims against the data subject on account of the Controller’s business activities. The period of limitation shall be determined by law, in particular the Civil Code (the basic limitation period for claims related to business activities is three years).|
|Keeping statistics and analysing traffic on the Website||Pont (f) of Article 6(1) of the RODO Regulation (legitimate interest of the Controller) – processing is necessary for purposes resulting from the Controller’s legitimate interests – consisting of conducting statistics and analysis of traffic on the Website in order to improve the functioning of the Website||The data shall be stored for the period of existence of a legitimate interest pursued by the Controller, however, not longer than the period of limitation of the Controller’s claims against the data subject on account of the Controller’s business activities. The period of limitation shall be determined by law, in particular the Civil Code (the basic limitation period for claims related to business activities is three years).|
4) RECIPIENTS OF DATA ON THE WEBSITE
- For the proper functioning of the Website, including the proper provision of Electronic Services and Digital Products by the Controller, it is necessary for the Controller to use the services of external entities (such as e.g. software provider, payment processor). The Controller shall only use the services of such processors who provide sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of the RODO Regulation and protects the rights of data subjects.
- The personal data of the Service Recipients using the Website may be transferred to the following recipients or categories of recipients:
a. entities processing electronic or credit card payments – in the case of a Service Recipient who uses electronic or credit card payments on the Website, the Controller shall make the collected personal data of that person available to a selected entity processing the aforementioned payments on the Website at the request of the Controller to the extent necessary to process the payments.
d. providers of social plug-ins, scripts and other similar tools placed on the Website that enable a visitor’s browser to download content from the providers of these plug-ins and to transmit the visitor’s personal data to these providers for this purpose, including:
5) PROFILING ON A WEBSITE
- The Controller may use profiling on the Website for direct marketing purposes, but decisions made on its basis by the Controller do not concern conclusion or refusal of a specific contract with the Controller or the possibility to use Electronic Services and Digital Products on the Website. The effect of using profiling on the Website may be, for example, a reminder about unfinished purchases on the Website, sending a discount or a proposal for a service or product that may correspond to the interests or preferences of a given person, or proposing better conditions compared to the standard offer of the Website. Despite profiling, a given person makes a free decision whether he/she will want to use, for example, an offer or a discount received in this way.
- Profiling on the Website consists in automatic analysis or prediction of a given person’s behaviour on the Website, e.g. through analysis of previous purchases or history of activities undertaken on the Website. The condition of such profiling is that the Controller has the personal data of the given person in order to be able to send him/her e.g. a reminder about unfinished shopping, a discount code or an offer.
- The data subject shall have the right not to be subject to a decision which is based solely on automated processing, including profiling, and which produces legal effects concerning that person or significantly affects him or her in a similar manner.
6) RIGHTS OF THE DATA SUBJECT
- Right of access, rectification, restriction, erasure or portability – the data subject has the right to request from the Controller access to his/her personal data, their rectification, erasure (“right to be forgotten”) or restriction of processing and has the right to object to the processing, as well as has the right to portability of his/her data. The detailed conditions for exercising the rights indicated above are indicated in Articles 15-21 of the RODO Regulation.
- Right to withdraw consent at any time – the person whose data are processed by the Controller on the basis of the consent given (on the basis of point (a) of Article 6(1) or point (a) of Article 9(2) of the RODO Regulation) has the right to withdraw consent at any time without affecting the legality of the processing carried out on the basis of consent before its withdrawal.
- The right to lodge a complaint to the supervisory authority – the person whose data is processed by the Controller has the right to lodge a complaint to the supervisory authority in the manner and mode specified in the provisions of the RODO Regulation and Polish law, in particular the Personal Data Protection Act. The supervisory authority in Poland is the President of the Personal Data Protection Office.
- Right to object – The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her based on point (e) of Article 6(1) (public interest or tasks) or point (f) of Article 6(1) (legitimate interest of the controller), including profiling under these provisions. The Controller shall in that case no longer be permitted to process those personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or grounds for the establishment, exercise or defence of claims.
- Right to object to direct marketing – where personal data are processed for the purposes of direct marketing, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such marketing, including profiling, to the extent which processing is related to such direct marketing.
7) COOKIES ON THE WEBSITE AND ANALYTICS
- Cookies are small information in the form of text files sent by a server and stored on the Website visitor’s side (e.g. on the hard drive of a computer, laptop or smartphone memory card – depending on the device used by the Website visitor). Detailed information on cookies, as well as the history of their creation can be found, among others, here: https://pl.wikipedia.org/wiki/HTTP_cookie.
- The cookies that may be sent by the Website can be divided into different types, according to the following criteria:
|Because of their supplier:||Due to their storage period on the device of the visitor to the Website:||In view of the purpose of their use:|
|1) own (created by the Controller’s Website) and|
2) belonging to third parties (other than the Controller)
|1) session (stored until logging out of the Website or turning off the web browser) and|
2) permanent (stored for a specific period defined by the parameters of each file or until manually deleted)
|In view of the purpose of their use:|
1) necessary (to enable the proper functioning of the Website),
2) functional/preferential (enabling the Website to adapt to the visitor’s preferences),
3) analytical and performance (gathering information about how the Website is used),
4) marketing, advertising and social networking (collecting information about a visitor to a Website in order to display advertisements to that person, personalise them and conduct other marketing activities, including on websites separate from the Website, such as social networking sites or other sites belonging to the same advertising network as the Website)
- The Controller may process the data contained in cookies when visitors use the Website for the following specific purposes:
|Purposes of using cookies on the Controller’s Website||Identifying a given person as logged in to the Website and showing that he/she is logged in (necessary cookies)|
|remembering the Digital Products added to the electronic shopping basket in order to be able to place an Order (essential cookies)|
|remembering data from completed forms, surveys or login data to the Website (necessary and / or functional / preferential cookies)|
|adapting the content of the Website to individual preferences of a given person (e.g. with regard to colours, font size, page layout) and optimisation of use of the Website’s pages (functional/preference cookies)|
|keeping anonymous statistics showing how the Website is used (analytical and performance cookies)|
|displaying and rendering advertisements, limiting the number of advertisements displayed and ignoring advertisements that a given person does not want to see, measuring the effectiveness of advertisements, as well as personalizing advertisements, i.e. researching the behavioral characteristics of visitors to the Website by anonymous analysis of their activities (e.g. repeated visits to the website specific pages, keywords, etc.) in order to create their profile and provide them with advertisements tailored to their expected interests, also when they visit other websites in the advertising network of Google Ireland Ltd. and Facebook Ireland Ltd. (marketing and advertising cookies and social)|
|monitoring of unfinished purchases (abandoned baskets) in order to send reminders about unfinished purchases|
- Checking in the most popular web browsers which cookies (including the period of operation of cookies and their provider) are being sent at a given moment by the Website is possible in the following way:
|In the Chrome browser:|
(1) in the address bar, click on the lock icon on the left, (2) go to the “Cookies” tab.
(1) in the address bar, click on the shield icon on the left, (2) go to the “Allowed” or “Blocked” tab, (3) click on the box “Tracking cookies between sites”, “Social media tracking elements” or “Content with tracking elements”
|In Internet Explorer:|
(1) click the “Tools” menu, (2) go to the “Internet Options” tab, (3) go to the “General” tab, (4) go to the “Settings” tab, (5) click the “View Files” box
|In the Opera browser:|
(1) in the address bar click on the padlock icon on the left, (2) go to the “Cookies” tab.
|in the Safari browser:|
(1) click the “Preferences” menu, (2) go to the “Privacy” tab, (3) click in the “Manage site data” box
|Irrespective of the browser, using the tools available, for example, at: https://www.cookiemetrix.com/ or: https://www.cookie-checker.com/|
in Chrome browser
in Internet Explorer
in Opera browser
in the Safari browser
in the Microsoft Edge browser
- The Controller may use Google Analytics and Universal Analytics services on the Website provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). These services help the Controller keep statistics and analyse traffic on the Website. The data collected are processed by the above services to generate statistics that help administer the Website and analyse Website traffic. The data are of an aggregate nature. When using the above services in the Website, the Controller collects such data as the sources and medium of obtaining persons visiting the Website and their behaviour in the Website, information on the devices and browsers from which they visit the Website, IP and domain, geographical data and demographic data (age, gender) and interests.
- It is possible for a given person to easily block the provision of information to Google Analytics about his or her activities on the Website – for this purpose, you can, for example, install a browser add-on provided by Google Ireland Ltd. available here: https://tools.google.com/dlpage/gaoptout?hl=pl.
- On the Website the Controller may use the Facebook Pixel service provided by Facebook Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland). This service helps the Controller to measure the effectiveness of advertisements and find out what actions visitors take on the Website, and to display tailored advertisements to these visitors. You can find detailed information on how Facebook Pixel works at the following website address: https://www.facebook.com/business/help/742478679120153?helpref=page_content.
- Managing the operation of Facebook’s Pixel is possible through the ad settings in your Facebook account: https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen.
- The Controller may use CartFlows services on the Website to monitor and remind of unfinished purchases on the Website. CartFlows services are provided by BRAINSTORM FORCE US LLC, 300 Delaware Ave, Suite 210-A, Wilmington, DE 19801 US. Detailed information on how the Service works is available at: https://cartflows.com/docs/gdpr-compliance/
8) FINAL PROVISIONS