Article 1. Introduction
Article 2. Personal Data
1. Kinga Pienińska Sp. z o.o. with its registered office in Krakow, Aleja 3 Maja 9, 30-062 Krakow, entered in the register of entrepreneurs of the National Court Register under no. KRS 0000131372, the registry files of which are kept by the District Court for Krakow – Śródmieście in Krakow, 11th Commercial Division of the National Court Register, holding business statistical number REGON 350925770 and tax identification number NIP 6791028356 (hereinafter KP or the Controller) is the Controller of the personal data provided in the form made available on www.kingapieninska.pl Website.
2. KP has appointed a data protection officer who may be contacted via e-mail at firstname.lastname@example.org or by a letter sent to KP’s registered address. The data protection officer may be contacted in all matters involving the processing of personal data and the exercise of the rights related to the processing of such data.
3. The Controller assures the exercise of all rights derived from:
a. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter also ‘GDPR’;
b. Act on Provision of Services by Electronic Means of 18 July 2002 (Journal of Laws No. 144 item 1204, as amended); and
c. Telecommunication Law of 16 July 2004 (Journal of Laws No. 171 item 1800, as amended).
4. The Controller is aware of the risks inherent in the processing of personal data on the Internet and commits to ensuring an adequate level of privacy and security for the Users. The tools being used have been selected with a view to ensuring adequate protection of personal data processing in compliance with legal requirements.
5. The data are processed exclusively in the electronic format. The data are stored on the servers deployed at the Controller’s registered address in a room satisfying all technical requirements applicable to this type of premises. The server room has been secured against unauthorised access and solely the persons designated by the Controller are granted access thereto. The Controller keeps a list of the persons authorised to access the server room.
6. The Controller oversees compliance with the rules and regulations governing personal data protection.
Article 3. Personal Data Security
1. The Controller implements and operates the necessary technical and organisational measures to ensure adequate protection of personal data against unauthorised disclosure, seizure, unlawful processing, alteration, loss, damage or destruction.
2. Only the persons duly authorised by the Controller in writing have access to the personal data collected on the Website.
3. Access to the IT system, in which personal data are collected, has been secured with a password known solely to the Controller and the persons authorised to process personal data.
4. The Controller applies the technical measures preventing unauthorised seizure and modification of personal data transmitted by electronic means, in particular:
a. uses the most recent and up-to-date source code managing the Website’s functions and data within the databases;
b. relies on a server infrastructure protected by a firewall, encrypted SSH for remote access, SSL, compulsory authorisation for the entirety of the traffic, backup copies of the databases; and
c. monitors all operations involving the personal data collected in personal data filing systems.
Article 4. Purposes, Methods of and Legal Basis for Personal Data Processing
1. The data collected via the Website are used to:
a. perform the obligations arising under the signed contract for provision of services by electronic means, within the scope outlined in Article 18 of the Act on Provision of Services by Electronic Means;
b. enable the Controller to contact the User based on the User’s consent given by clicking on the relevant checkbox on the Website.
c. The data collected via the Website may be transmitted to KP’s employees and collaborators and to the entities providing IT services to KP.
2. The data collected via the Website shall be stored throughout the period of provision of services to the User by electronic means and, thereafter, may be stored also for the period over which the User is likely to file claims with the Controller in connection with the provision of those services (the claims’ prescription period) and over the period in which the competent state authorities are likely to request access to such data in the performance of their control activities.
3. Provision of personal data is voluntary. However, it may be necessary to enable the User to take advantage of some functionalities of the Website.
2. Two primary types of cookies are used on the Website, namely session cookies and persistent cookies. Session cookies are temporary files that are stored on the User’s device until the User logs out, leaves the Website or switches off the software (the Internet browser). Persistent cookies are stored on the User’s device over the time period specified in their parameters or until their removal by the User.
3. The following types of cookies are used on the Website:
a. ‘strictly necessary cookies’ enabling the use of the services made available via the Website, e.g. authenticating cookies used for the services requiring authentication on the Website;
b. ‘safety cookies’, e.g. used for detecting authentication breaches on the Website;
c. ‘performance cookies’ that enable collecting information on the manner of use of the Website’s pages;
d. ‘functionality’ cookies that enable ‘memorising’ the User’s selected settings and personalisation of the User’s interface, e.g. in terms of the selected language or region from which the User originates, font size, website appearance etc.; and
e. ‘advertising’ cookies that enable delivery to the User of advertising content better customised to the User’s interests.
4. In multiple cases, the software used for browsing online content (the Internet browser) accepts, by default, storage of cookies on the User’s device. The Website’s Users may change the cookie settings at any time. Those settings may be changed, in particular to block automatic enabling of cookies in the browser’s settings or to inform each time about their placement on the device of the Website’s User. The details of the options and methods of enabling cookies can be found in the software’s (the Internet browser’s) settings.
6. The data contained in cookies are processed by the Controller for the purpose of keeping the Website’s traffic statistics, which constitutes the Controller’s legitimate interest.
8. The cookies placed on the User’s device may be used also by the advertisers and partners collaborating with the Controller.
9. The terms of storage or receipt of cookies may be changed through configuration of the settings in online browsers.
Article 6. Rights of the Users
1. The User may request from the Controller, at any time, the right to access the User’s personal data, rectify or erase the same or restrict their processing, file an objection to their processing, as well as the right to data portability. To the extent in which processing is based on the consent given by the User, the User also has the right to withdraw his or her consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
2. Furthermore, the User has the right to lodge a complaint with the supervisory authority, namely Poland’s Personal Data Protection Office (UODO).
3. The User’s rights shall be exercised at the User’s request sent via e-mail to email@example.com. Should the User deem such measure inadequate, the User may send a letter to the Controller to the following address: Aleja 3 Maja 9, 30-062 Kraków.
4. The exercise of the right to data erasure involves erasing the data without undue delay, including their erasure from the records kept by the Controller, in compliance with the applicable laws and regulations.
6. Personal data shall be transmitted as follows:
a. The Controller shall transmit the data in a structured, commonly used and machine-readable format, i.e. in XML, JSON and CSV formats;
b. Where the Controller finds that the right to personal data portability is not vested in the User in any given case and, consequently, the Controller does not intend to take any measures in connection with the User’s request, the Controller shall notify the data subject of the reasons for not taking any measures.
Article 7. Final Provisions