Controller – PRZEDSIĘBIORSTWO “ROL-RYŻ” SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ [“ROL-RYŻ” ENTERPRISE, LIMITED LIABILITY COMPANY], address: ul. Celna 2, 81-337 Gdynia, NIP [Tax ID No]: 5860158849, REGON [National Business Register No]: 190576327
Personal data – all information about a natural person identified or identifiable based on one or more factors specific to his/her physical, physiological, genetic, mental, economic, cultural or social identity, including equipment IP, location data, online identifier and information gathered by means of cookie files and another similar technology.
GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
Website – website kept by the Controller at the address: www.ryz.pl
User – each and every natural person who visits the Website or who benefits from one or more services or functionalities described in the Policy.
2. PROCESSING OF DATA IN VIEW OF USING THE WEBSITE
In view of using the Website by a User, the Controller collects data within the scope necessary for commercial contact as well as information about a User’s activity on the Website by means of cookies. Detailed principles on and purposes of processing personal data gathered while using the Website by a User are described below.
3. PURPOSES AND LEGAL BASES OF PROCESSING DATA ON THE WEBSITE
USING THE ROL-RYŻ.PL WEBSITE
Personal data of all persons using the Website (including IP address or other identifiers and information gathered by means of cookies or other similar technologies) and not being registered Users (i.e. persons who do not have profiles on the Website) is processed by the Controller:
to provide services by electronic means within the scope of making content gathered on the Website accessible to Users, making contact forms accessible – should this be the case, necessity for processing to perform a contract (Article 6 (1) point (b) of the GDPR) is the legal basis for processing;
for marketing purposes of the Controller and other entities, in particular connected with presentation of a behavioural advertisement – principles on processing personal data for marketing purposes are described in the “MARKETING” section.
A User’s activity on the Website, including their personal data, is registered in system logs (special computer program used for storage of chronological record containing information about events and activities concerning an information system used for providing services by the Controller). Information gathered in logs is processed in view of providing services. The Controller processes it also for technical purposes in particular, data may be temporarily stored and processed to ensure security and proper operation of information systems e.g. in view of making backup copies, tests of changes in information systems, detection of irregularities or protection against abuses and attacks.
The Controller ensures a possibility of contacting it with the use of electronic contact forms. To use the form, it is required to provide personal data necessary for contacting a User and giving an answer to a query. A User may also provide other data to make contact or the query handling process easier. Providing data marked as obligatory is required to accept and handle a query and if it is not provided, a matter shall not be handled. Provision of the other data is voluntary.
Personal data is processed:
to identify a sender and to handle their query sent by means of the available form – necessity for processing to perform a service provision contract (Article 6 (1) point (b) of the GDPR) is the legal basis for processing;
The Controller processes Users’ personal data to implement marketing activities which may consist in:
sending email notices about interesting offers or content which, in some cases, contain commercial information;
conducting another type of activities related to direct marketing of goods and services (sending commercial information by electronic means and telemarketing activities).
In order to implement marketing activities, the Controller is involved in profiling in some cases. It means that thanks to automatic processing of data, the Controller assesses selected factors concerning natural persons to analyse their behaviour or to create a forecast for the future.
5. DIRECT MARKETING
If a User has given their consent to obtain marketing information via email, SMS and other electronic means, the User’s personal data shall be processed to send such information.
A legitimate interest of ROL-RYŻ consisting in sending marketing information within the limits of consent given by a User (direct marketing) is the basis for processing data. A User has the right to lodge an objection to processing data for the needs of direct marketing, including profiling. For this purpose, data shall be stored for the duration of the legitimate interest of ROL-RYŻ unless a User objects to obtaining marketing information.
6. SOCIAL MEDIA
The Controller processes personal data of Users visiting the Controller’s profiles kept in social media (Facebook, YouTube, Instagram). This data is processed only in view of keeping a profile, including for the purpose of informing Users about the Controller’s activity and promotion of various types of events, services and products as well as to communicate with Users via functionalities available in social media. The Controller’s legitimate interest (Article 6 (1) point (f) of the GDPR) consisting in promotion of own brand as well as building and maintenance of community connected with the brand is the legal basis for processing personal data by the Controller for this purpose.
7. COOKIE FILES AND A SIMILAR TECHNOLOGY
Cookies are small text files installed in a device of a User who browses through the Website. Cookies collect information making it easier to use the website – e.g. by remembering a User’s visits on the Website and operations carried out by a User.
cookies with data entered by a User (session identifier) for the duration of a session (eng. user input cookies);
authentication cookies used for services which require authentication for the duration of a session;
cookies used for ensuring security e.g. used for detection of abuses within the scope of authentication (eng. user centric security cookies);
multimedia player session cookies (e.g. flash player cookies) for the duration of a session;
permanent cookies used for User interface customization for the duration of a session or a bit longer;
cookies used for remembering content of a shopping cart for the duration of a session (eng. shopping cart cookies);
cookies used for monitoring website traffic i.e. data analytics, including Google Analytics cookies (they are files used by Google to analyse the manner of using the Website by a User, to draw up statistics and reports on functioning of the Website). Google does not use collected data to identify a User and does not combine this information to enable identification. Detailed information about the scope of and principles on collection of data in view of this service can be found under the link: https://www.google.com/intl/pl/policies/privacy/partners.
a User’s consent. This consent may be given by appropriate configuration of a browser and may be withdrawn at any time, in particular by clearing the cookies history and deactivation of cookies in a browser’s settings.
8. PERSONAL DATA PROCESSING PERIOD
The period of processing data by the Controller depends on the type of the service provided and purpose of processing. In principle, data is processed for the service provision period or order execution period by the time of withdrawing the consent given or lodging an effective objection to processing data in the case when the Controller’s legitimate interest is the legal basis for processing data.
The data processing period may be extended in the case when processing is necessary to establish and assert potential claims or to defend against them and after this time – only in the case and within the scope in which this is required by legal provisions. After the processing period expires, data is irreversibly erased or depersonalised.
9. USER’S RIGHTS
Data subjects have the following rights:
Right to information about processing personal data – on this basis, a person who submits such
a demand shall be provided by the Controller with information about processing personal data, including first of all about the purposes and legal bases of processing, the scope of possessed data, entities to which/whom personal data is disclosed and planned date/time-limit of its erasure;
Right to obtain copies of data – on this basis, the Controller provides a copy of processed data concerning a person who submits such a demand;
Right to rectification – on this basis, the Controller removes potential discrepancies or errors on processing personal data and complements it or updates it if incomplete or changed;
Right to erasure of data – on this basis, one can demand erasure of data the processing of which is no longer necessary for achievement of any purpose for which it has been collected;
Right to restriction of processing – on this basis, the Controller ceases conducting operations on personal data, except operations to which a data subject has given consent, and ceases storing it, in line with the adopted retention principles or until reasons for restriction of data processing have ceased (e.g. a decision of a supervisory body allowing data to be processed further is given);
Right to data portability – on this basis, within the scope in which data is processed in view of
a contract concluded or consent given, the Controller shall provide data delivered by a data subject, in a format allowing a computer to read it. It is also possible to demand that this data be sent to another entity – however, provided that there are technical possibilities within this scope both on the part of the Controller and on the part of that another entity;
Right to object to processing data for marketing purposes – a data subject may at any time object to processing personal data for marketing purposes, without the necessity to justify such an objection;
Right to object to other data processing purposes – a data subject may at any time object to processing personal data based on the Controller’s legitimate interest (e.g. for analytical or statistical purposes or in view of safeguarding of assets). An objection within this scope should include a justification and is subject to the Controller’s assessment;
Right to withdraw consent – if data is processed on the basis of consent, a data subject has the right to withdraw it at any moment, which however does not have an influence on the lawfulness of processing before withdrawal of this consent;
Right to lodge a complaint – if it is considered that processing of personal data infringes the GDPR provisions or other provisions on protection of personal data, a data subject may lodge a complaint to the President of the Personal Data Protection Office.
A petition for exercising rights of data subjects may be submitted:
in writing to the address: PRZEDSIĘBIORSTWO “ROL-RYŻ” SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ [“ROL-RYŻ” ENTERPRISE, LIMITED LIABILITY COMPANY], ul. Celna 2, 81-337 Gdynia, NIP [Tax ID No]: 5860158849, REGON [National Business Register No]: 190576327
by email to the address: email@example.com
with information about which right the person who lodges the petition wants to benefit from (e.g. right to obtain copies of data, right to erasure of data, etc.);
with information about which process of processing the demand refers to (e.g. benefiting from
a particular service, activity on a particular website, obtainment of a newsletter containing commercial information to a given email address, etc.);
with information about which processing purposes the demand refers to (e.g. marketing purposes, analytical purposes, etc.).
If the Controller is unable to establish the content of the demand or identify the person lodging the petition based on the notice filed, it shall turn to the petitioner for additional information.
An answer to the notice shall be given within a month from a date of its receipt. If it is necessary to prolong this time-limit, the Controller shall inform the petitioner about reasons for such prolongation.
An answer shall be provided to an email address from which the petition has been sent and with regard to petitions sent by letter – by ordinary post to an address indicated by the petitioner if the letter does not include information about willingness to obtain feedback to an email address (should this be the case, an email address must be given).
10. RECIPIENTS OF DATA
In view of performing services, personal data shall be disclosed to external entities, including in particular to suppliers/providers in charge of operating information systems, legal entities and entities affiliated to the Controller.
The Controller reserves the right to disclose particular information concerning a User to relevant bodies or third parties who/which will submit a demand to provide such information, based on an appropriate legal basis and in accordance with provisions of the law in force.
11. PROVISION OF DATA OUTSIDE THE EEA
The Controller does not provide collected data outside the EEA.
12. SECURITY OF PERSONAL DATA
The Controller carries out an analysis of risk on a current basis to ensure that personal data is processed by it in a safe manner – guaranteeing, first of all, that only authorised persons have access to data and only within the scope in which it is necessary in view of the tasks performed by them. The Controller ensures that all operations on personal data are registered and carried out only by authorised staff members and co-workers.
The Controller takes any and all necessary measures so that also its subcontractors and other cooperating entities will guarantee that appropriate security measures are applied in each and every case when they process personal data to the order of the Controller.
13. CONTACT DATA
The Controller can be contacted via the email address: firstname.lastname@example.org
The Policy is verified on a current basis and updated if necessary.