1.1. Data Controller or Cyfrowy Polsat – Cyfrowy Polsat S.A. with its registered office at ul. Łubinowa 4a, 03-878, Warsaw, Poland, entered in the Register of Entrepreneurs maintained by the District Court for the Capital City of Warsaw, 13th Commercial Division of the National Court Register, under No. KRS 0000010078, NIP 796-18-10-732, with a share capital of PLN 25,581,840.64, paid in full
1.2. Personal data – any information relating to an identified or identifiable natural person who can be identified by reference to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, including – if they enable User’s identification – IP of a device, location data, an online identifier and information collected through cookies and other similar technologies.
1.4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 of the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (“General Data Protection Regulation”).
1.5. Service – an online service maintained by the Data Controller under the address: raportniefinansowy2017.grupapolsat.pl, raportniefinansowy2017.grupapolsat.pl/en and mobile and web applications.
1.6. User – any natural person visiting the Service or using one or more services or functions of the Service.
1.7. Trusted Partner – an entity with which the Data Controller cooperates, providing marketing content to the User or acting as an intermediary in provision of such content.
2. DATA PROCESSING IN CONNECTION WITH THE USE OF THE SERVICE
2.2. In connection with the use of the Service by the User, the Data Controller collects his or her data in connection with the provision of individually offered services, as well as information about User’s activity in the Service, including IP of a device, location data, an online identifier and information collected through cookies and other similar technologies. Cookies and similar technologies are not used for identifying the User and an identity of the User is not determined on their basis. Cookies and similar technologies, in the situation when they do not allow natural persons to be identified, may constitute personal data only in conjunction with other unique identifiers or other information allowing such a natural person to be identified .
2.3. The use of the Service is possible without a need of creating an account by the User. In such a case, the use of the Service does not require providing personal data in the registration form. Processed data include information about the use of the Service.
2.4. The User may create an account in the Service by completing a registration form (in which the mandatory data required for creating an account are properly marked, and the remaining data – if the registration form envisages providing of such data – are optional and are not required for creating an account), thanks to which the User may use additional functionalities or services of the Service. In such a case, personal data provided in the registration form and information about the use of the Service are being processed. Providing of personal data is not a legal condition, which means the User has no legal obligation to provide data for creating an account in the Service, but at the same time providing of data marked as mandatory is a condition for creating an account in the Service. Failure to provide data marked as mandatory prevents creation of an account in the Service and use of functionalities which, based on the Regulations of the Service, can be used only after creating an account.
2.5. An account in the Service may be created using social networking portals (e.g. Facebook, Twitter, Instagram, Linkedin, G+). To create an account in the Service or if the use of other functionalities offered by such portals will be possible within the Service, at the request of the User, the Service will collect the data required for registration and handling of account in the Service from the User’s account in the social networking portal.
2.6. Upon the User’s consent, the access to information about the use of the Service may be granted to Trusted Partners who utilize cookies and similar technologies to collect and process personal data in order to personalize provided content.
2.7. If under the Service additional functionalities are available, such as a possibility of subscribing to a newsletter or using of the contact form, relevant information concerning personal data processing and the scope of processed data will be available during their collection for the needs of such functionalities.
3. COOKIES AND SIMILAR TECHNOLOGIES
3.1. Cookies and similar technologies are used in connection with the use of the Service in order to provide the User with access to the Service, enhance its operation, profile and display contents adjusted to the User’s needs.
3.2. Cookies are small text files stored in the User’s telecommunication devices (computer, phone, tablet etc.) when using the Service, which allow for storing and reading information used by the Data Controller and other entities providing services on his behalf (e.g. analytic or statistical services) or Trusted Partners for various purposes which can be divided into categories described below.
3.3. Technologies similar to cookies include, among others, local storage, session storage, and service workers, which operate in the following way: a technology utilizing a designated part of the browser’s memory used for storing data recorded by the service.
3.4. For the sake of simplicity, cookies and similar technologies will be hereinafter collectively referred to as “cookies”.
3.5. We use two types of cookies or similar technologies, depending on their life cycle:
3.5.1. session cookies – files stored in the User’s device until the User logs out or leaves the Service;
3.5.2. persistent cookies – files stored in the User’s device until their removal by the User or until the expiry of such a cookie within the time limit defined in its specifications.
3.6.1. Required cookies, necessary for the use of the Service:
a) user input cookies (session identifier) for the duration of a session;
b) authentication cookies used for services requiring authentication stored for the duration of a session;
c) user centric security cookies used for ensuring security e.g. used for detecting frauds in the area of authentication;
d) multimedia player session cookies (e.g. flash player cookies) for the duration of a session;
3.6.2. Functional cookies, facilitating the use of the Service:
a) persistent user interface customization cookies for the duration of session or slightly longer,
b) cookies used for monitoring the website traffic, i.e. data analytics – these files are used in order to analyze the way in which the Service is used by the User, to develop statistical data and reports about functioning of the Service.
3.8. The User may change the settings of cookies or similar technologies at any time by changing the privacy settings in the browser or application or by changing settings of his/her account in the Service, provided that such a change may result in the lack of access to certain functionalities of the Service.
3.9. Change of privacy settings is possible by selecting a relevant option in the browser or application settings. In case of the most popular web browsers, the User may individually manage privacy settings, including cookies, in particular by accepting cookies, changing cookie settings and blocking or deleting cookies. Method and scope of changes of the privacy settings depend on the type and version of the web browser or application used by the User. Detailed information about the change of privacy settings are available on websites of these service providers.
4. PURPOSES AND LEGAL BASIS OF PERSONAL DATA PROCESSING IN THE SERVICE
The Data Controller processes the personal data of Users for the following purposes:
4.1. ensuring access to the Service – pursuant to Article 6 item 1 letter b of GDPR;
4.2. ensuring compliance with legal obligations – pursuant to Article 6 item 1 letter c of GDPR;
4.3. the legitimate interests pursued the Data Controller or by a third party – pursuant to Article 6 item 1 letter f of GDPR:
4.3.1. Data Controller’s own marketing, including profiling, in particular displaying of behavioral advertising, displaying marketing content for the User in the Service or sending notifications to selected Users about interesting offers or contents by electronic communication means, in particular by e-mail, provided that the User expressed his/her consent, as well as conducting other activities related to the marketing, e.g. satisfaction surveys.
4.3.2. fraud detection and elimination;
4.3.3. internal purposes related to the provision of services and conducting of business activities, including for evidence, analysis and statistics.
4.4. Personal data of the User will be processed based on the consent for marketing purposes of Trusted Partners, in particular related to the display of behavioral advertising – pursuant to Article 6 item 1 letter a of GDPR.
4.5. In order to execute the above mentioned goals, the Data Controllers utilizes profiling in some cases. This means, that thanks to the automatic data processing the Data Controller evaluates selected factors related to natural persons in order to analyze their behavior or create a forecast for the future. As a result of these analyses, no significant decisions regarding the User are made.
5. PERIOD OF PERSONAL DATA PROCESSING
5.1. Personal data are processed until the account is deleted from the Service, and then for the period: a) envisaged for the fulfillment of obligations resulting from the provisions of the law concerning defense, state security and public law and order, as well as tax and accounting regulations, b) for the period of limitation of claims and until the end of civil, enforcement, administrative and criminal proceedings requiring personal data processing, and in the case of the provided consent – until the purpose for which the consent was granted is achieved or until the consent is revoked, whatever comes earlier.
5.2. The User may individually remove cookies from his/her device. In order to erase cookies from the User’s terminal (computer, phone, tablet etc.), clear the browser’s cache and cookies. The process of clearing the browser’s cache and cookies shall be performed in the browser’s settings. Settings may vary between browsers and its versions. More information about options available in individual browsers is presented in section 4.10. Removing of cookies will result in removing of the Service’s settings.
6. USER RIGHTS
6.1. In connection with the processing of personal data, the User shall have the following rights:
6.1.1. the right to rectification of data – if the collected data are incorrect or updated, the User has the right to provide correct and up-to-date data and the Data Controller shall correct or update them;
6.1.2. the right to access the data – the User may exercise this right to learn what data are processed;
6.1.3. the right to erasure of data, also known as “the right to being forgotten” – if the User decides that the data are no longer necessary for the purposes for which they were collected, the User has the right to ask the Data Controller to erase them;
6.1.4. the right to restriction of processing – if the User has doubts whether the Data Controller processes the data in a correct manner, he/she has the right to apply for restriction of processing;
6.1.5. the right to transfer the data – the User may receive and transfer the data delivered to the Data Controller from the Data Controller to another entity;
6.1.6. the right to object to processing of personal data, based on the legitimate interest pursued by the Data Controller or by a third party, including profiling, on grounds relating to his or her particular situation and the right to object to processing of personal data for direct marketing purposes;
6.1.7. the right to revoke consent at any time –the User has the right to revoke his or her consent granted to processing of data at any time and without providing any reason; revoking of the consent has no impact on the legality of data processing which took place before revoking of such a consent; such processing remains fully valid and legal; the User may revoke his or her consent by changing settings;
6.2. In order to examine the request for exercising the above mentioned rights, the Data Controller is entitled to verify the identity of the User, which shall prevent disclosure of information about the User to unauthorized persons. In case of Users who have not created an account in the Service, the Data Controller has no possibility to verify the User’s identity, because the processed data concern only information about the user of the Service, without information about the User’s identity.
6.3. The User may file a complaint regarding the processing of personal data to the supervising authority dealing with the personal data processing. The President of the Office of Personal Data Protection is the supervising authority in the Republic of Poland.
7. RECIPIENTS OF DATA AND TRUSTED PARTNERS
7.1. Personal data of Users may be transferred to the following categories of recipients: entities providing services to the Data Controller required for fulfilling of the above mentioned purposes, including IT suppliers, entities providing technical, organizational and consulting support, to other sub-contractors with respect to customer service, charging and handling of payments, marketing, integrators and entities providing additional services under premium rate services, entities entitled by law, companies from Cyfrowy Polsat Group.
8. TRANSFER OF DATA OUTSIDE OF EEA
Personal data of Users may be transferred to countries / international organizations located outside of the European Economic Area, where such a country / organization, based on the decision of the European Union, was deemed as ensuring an adequate level of personal data protection, equivalent to the degree of protection valid on the territory of the European Economic Area or provided that the appropriate safeguards are applied, which may consist in using valid corporate rules, standard contractual clause adopted by the European Commission, standard personal data protection clauses adopted by the President of the Office of Personal Data Protection or contractual clauses authorized by the President of the Office of Personal Data Protection, and their copies may be obtained at the request submitted in the manner mentioned in item 10 above.
9. SECURITY OF PERSONAL DATA
9.1. The Data Controller analyzes the risks, on an on-going basis, to ensure that the personal data are processed by him in a secure manner – ensuring most of all that only authorized persons may access them and only to the extent which is necessary for the tasks they perform. The Data Controller makes sure that the operations on personal data are recorded and performed only by authorized employees and co-workers.
9.2. The Data Controller shall take all necessary measures to ensure that also his sub-contractors and other cooperating entities provide guarantee of applying appropriate security measures in any case of processing of personal data at the request of the Data Controller.
10. CONTACT DATA
10.1. Requests, declarations and any correspondence regarding personal data shall be addressed by phone to the Customer Service Department (phone no. 22 212 72 22), or in writing to the address: Cyfrowy Polsat S.A. , ul. Łubinowa 4a, 03-878 Warszawa, by e-mail to: firstname.lastname@example.org, as well as in writing or orally for the record at the Point of Sale (Service).
10.2. The Data Controller has appointed a Data Protection Inspector who can be contacted: by phone at 022-426-19-30, by e-mail at: email@example.com or in writing to the above mentioned address of the Data Controller marked „Inspektor ochrony danych” (Data Protection Inspector).