We take the protection of your personal data very seriously. This Data Protection Policy describes our obligations to you. Please read it carefully as it provides the basic principles and mechanisms of processing your personal data. Please also review all other documents that we have adopted in order to protect your rights and ensure the security of your information: Cookies policy.
1. IMPORTANT TERMINOLOGY
In our Data Protection Policy, as well as in other documents that govern our use and processing of data, there are a number of terms important from the perspective of your data protection rights:
- PERSONAL DATA – means information about an identified or identifiable natural person. An identifiable natural person is one who can be directly or indirectly identified, in particular on the basis of an identifier such as a name, an ID number, location data, any Internet identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of an individual;
- DATA PROCESSING – means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means; Examples of data processing: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- PERSONAL DATA CONTROLLER – means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
The Personal Data Controller designated for personal data of our customers, with whom you could contact in all matters concerning the protection of your data is: PHOTON ENTERTAINMENT SP. Z O.O. with its registered office in Poland, Narodowych Sił Zbrojnych 3, 15–690 Białystok, NIP 9662102678, REGON 363861420, with the share capital of 13,250.00 PLN, entered into the register of entrepreneurs of the National Court Register kept by the District Court of Białystok in Białystok, XII Commercial Division of the National Court Register under the KRS number 0000605171.
- DATA PROTECTION INSPECTOR – means a person specially appointed by the Personal Data Controller to ensure that organization processes stored personal data in compliance with the applicable data protection rules. The Data Protection Officer (DPO) does not replace The Personal Data Controller, does not overtake anyones duties, but is an independent expert specializing in complex issues related to data protection laws and compliance.
In our Company the role of the Data Protection Officer is assigned to Mr Krzysztof Dziemiańczuk.
- LAWFULNESS OF PROCESSING – legally defined grounds for processing of personal data by us. They are as follows and are directly resulting from the provisions of the GDPR in EU:
- 6(1)(a) GDPR – the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- 6(1)(b) GDPR – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- 6(1)(c) GDPR – processing is necessary for compliance with a legal obligation to which the controller is subject;
- 6(1)(d) GDPR – processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- 6(1)(e) GDPR – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- 6(1)(f) GDPR – processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
- PROFILING – means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements; Examples of profiling are e.g. automatic evaluation of a credit score or displaying targeted ads based on previous activity on the Internet.
- DATA PROCESSOR – means a natural or legal person, public authority, agency or other entity which processes personal data on behalf of the controller; It is common that personal data controllers legally entrust user personal data to another entities. In all such cases, the data must still be protected by the processor at least as well as by the data controller.
- PERSONAL DATA RECIPIENT – means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.
- CONSENT TO THE PROCESSING OF DATA – a very important term, because most often we process your data on the basis of your consent. Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, allows the processing of personal data relating to him or her.
- SUPERVISORY AUTHORITY – a public authority in a Member State appointed to supervise compliance with the provisions of the law on personal data protection. Before introduction of the GDPR provisions the role of such Supervisory Authority in Poland was assigned to GIODO (Inspector General for Personal Data Protection). Currently, the role of the supervisory authority in Poland is assigned to the President of UODO (The Personal Data Protection Office). Please remember that you are entitled to complain directly to the Supervisory Authority and you can always contact this institution if you believe that your data is being processed unlawfully.
The principles of personal data processing result primarily from the so–called General Data Protection Regulation (EU) GDPR is a EU regulation on data protection and privacy for applying to all individuals within the European Union (EU) territory and the European Economic Area (EEA). The same rules apply to Polish, and for example, French entrepreneurs. The full text of this legal act in English is available on-line. Please search for it in the EUR–Lex service, which is the database of legal acts applicable in the European Union. The full name of this act: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Further on, as we did earlier, we will use its abbreviated name: GDPR. Apart from the GDPR, specific provisions of the Polish law are also regulating processing of personal data, and in particular the Act on the Protection of Personal Data.
3. WHY AND HOW WE PROCESS YOUR PERSONAL DATA
In our company, we process a wide range of personal data for specific purposes. Every time we start processing your data on one of the legal bases, you are promptly informed about it. Our notifications list specific data we process and purpose of such processing. Our notifications may also contain specific indications, e.g. about the use of your data for so–called profiling (creation of a user profile on the basis of gathered information). Please read them carefully every time. If your consent is required for the processing of your data, you will receive this information before giving your consent. Remember that your consent is always voluntary and you can always withdraw it at any time without giving any reason. Please note that we may not be able to provide you with our services, process your order or provide certain functionalities without obtaining your personal data. You must consciously decide on a case-by-case basis whether you want to allow us to process your data. Payment data, including your personal data, may be transferred to PayLane Sp. z o.o. with its registered office: 80–387 Gdansk, Arkońska 6/A3, Poland KRS: 0000227278, to the extent necessary to handle payment for the order. For your information, we indicate several types of personal data that we may process, as well as intended purposes. We provide specific legal basis and specify purpose of the data processing each time.
THE EXAMPLES OF PROCESSED DATA THE PURPOSE OF DATA PROCESSING
name, surname, postal address dispatch of goods, invoicing
bank account number refund, payment of earnings
telephone number business contact, enabling customer service contact (if you agree)
clicks registered on the website providing you with recommendations and personalized advertisements
4. THE BASIC PRINCIPLES OF PERSONAL DATA PROTECTION
The processing of your personal data may look different each time, depending on type of data, purpose, used means, legal basis, etc. The processing of your personal data may take place on a case–by–case basis. In each case, however, we are guided by a number of basic values and principles:
CONFORMITY WITH LAWS – Your personal data is always processed in accordance with the law;
RESPONSIBILITY – we process personal data reliably in an organized and responsible way;
TRANSPARENCY – we try to make our data processing transparent;
PURPOSE – we always collect and process data for a specific lawful purpose or purposes; we do not collect data only to create a backup;
RELEVANCE – we only process data which is necessary for a specific purpose; we limit data processing to what is absolutely necessary in order to achieve a specific goal;
RELIABILITY – we take all reasonable care to process only correct and up to date personal data;
STORAGE PERIOD – in accordance with the GDPR it means storage of data in a form that allows identification of a natural person for no longer than it is necessary for a given processing purpose; we store personal data no longer than it is necessary;
INTEGRITY AND CONFIDENTIALITY – we process data in a manner that ensures appropriate data security, including protection against unauthorized or unlawful processing, loss, destruction or damage. We use appropriate technical and organizational measures to ensure such level of protection;
ACCOUNTABILITY – the data controller is responsible for compliance with the above rules. We keep records of how we process your personal data to demonstrate our compliance when necessary.
5. YOUR RIGHTS
The GDPR regulations give you a number of rights which you can exercise if we process your personal data. You have:
- The right to access and receive a copy of your personal data. You have the right to receive from us one copy of your personal data that we process. We may charge a reasonable fee for the administrative costs for any subsequent requests. If you request a copy of your data by electronic means we will provide the requested information using the same electronic means, unless stated otherwise. Before submitting any subsequent requests for a copy of your data, please inquire about the fees first;
- The right to rectification of your personal data.
- The right to erasure (right to be forgotten) You can ask for the erasure of your personal data if you think that your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
- The right to restriction of processing. If you believe that we store incorrect data about you but you do not want us to delete the data, you have the right to request that we only store such data or take any other action agreed with you.
- The right to object to the processing of data.
- The right to data portability.
- If we process your data on the basis of your consent, you have the right to withdraw your consent to the processing at any time, without giving any reason. This does not affect the legality of processing performed to date.
- Right to lodge a complaint with a supervisory authority about our actions.
In order to exercise your rights, you must first notify us about it. First of all, please contact the Data Controller using the method of your choice. To make it easier, we have prepared a template for your request (or statement), which you can use in communication with us – you will find it at the bottom of this Data Protection Policy. Regardless of how, when and using what method of communication with the Data Controller, please refer to the following instruction, which contains the legal rules for handling your inquiry, which we will apply: The information shall be provided to the requester in writing or otherwise, including, where appropriate, by electronic means. If the data subject so requests, information may be provided verbally, provided that the identity of the data subject is confirmed by other means. The Data Controller may refuse to process the data subject request if it is not possible to positively verify identity of the requester. The Data Controller shall, without undue delay – and in any event no longer than within one month of receipt of the request – provide the data subject with information on the action taken in regards to the request. If necessary, this period may be extended by a further two months due to the complexity of the request or the number of requests. Within one month of receipt of the request, the controller shall inform the data subject of any such extension, stating the reasons for the delay. If the data subject requests for information by electronic means, the information shall also be provided electronically, if feasible, unless the data subject requests otherwise. If the controller does not act on the data subject’s request, it shall immediately, and at the latest within one month of receipt of the request, inform the data subject of the reasons for not taking action and of the right to lodge a complaint with the supervisory authority and to seek legal remedies before a court of law. Information provided by the Data Controller, as well as communication and actions taken in connection with the request handling shall be free of charge. If the data subject’s requests are evidently unjustified or excessive, in particular due to their repeated pattern, the Data Controller may charge a reasonable fee for the administrative costs of providing requested information, for the time spent on communication, or for taking the requested action, or to refuse to act on the request. If the Data Controller has reasonable doubts as to the identity of the natural person making the request, additional information necessary to verify the identity of the data subject may be requested.
6. PROCESSING PERSONAL DATA OF CHILDREN
It may happen that persons who are not yet of legal age will use our services in accordance with the law. If you are at least 16 years old, you have the right to give us your own consent to process your personal data. The minimum age of 16 years is directly taken from the provisions of the GDPR. However, if the Polish legislation in force modifies this age limit, we will follow provisions of the Polish law. If you are under the age of 16 and want to consent to processing of your personal data, we can only do so if your legal guardian expressly consents to this – then he or she must also give us his or her explicit consent, which we will receive and retain. Written consent of your legal guardian, as a proof of their consent is necessary, also for the sake of clarity of the rules applied to processing of your personal data.
7. COOKIES ON OUR WEBSITE
8. MAINTAINING OUR DATA PROTECTION SYSTEM. NEW PRODUCTS, SERVICES AND ACTIVITIES
If we introduce changes in the functioning of our company, begin to offer new products and services, or change the way your personal data is processed, we will review our existing data protection principles. We constantly monitor our actions and how they affect the security of your privacy. Furthermore, if we see that our actions may affect your privacy in any way, we perform appropriate risk analyses. If we create new products, services and deployments, we will initially adopt configurations and settings that do not expose you to personal data processing beyond what is necessary to use our products or services. If we make changes to our operations we also audit our data protection principles in order to provide higher protection level of your personal data.
9. WHO NEEDS TO COMPLY WITH THIS DATA PROTECTION POLICY?
All our staff, and in particular persons with access to any personal data, must comply with this Data Protection Policy. Our employees and associates are committed to adhering to these principles of data protection and, in all our actions, we ensure that we process your data lawfully and in accordance with the principles of our Policy as described above. We follow these principles, and you benefit from them as we create our products, services and solutions for you.
10. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANIZATIONS
We may transfer your data to other countries as our servers may be located abroad or because our subcontractors are located in another country. If we transfer your data to another country of the European Union or the European Economic Area, your data may be processed further according to the same principles applicable to Poland – the GDPR regulations are observed in all EU countries in the same way. However, if your personal data is transferred outside of the EEA, we will notify you separately. We always ensure that after leaving the EEA your data is as secure as with us, and we guarantee not to transfer your data to any company, entrepreneur or organization that does not guarantee the same level of data protection as Poland and the European Union.
11. RECORDS OF PROCESSING ACTIVITIES
As the Data Controller we maintain records of data processing activities. Such records act as a specific “map” indicating the flow of your data in our organization. These records are one of the key elements enabling us to implement the fundamental principle of data processing – the principle of accountability, which we mentioned earlier.
12. THE SECURITY OF YOUR DATA
We protect your data as much as we can. For this purpose we introduced technological, organizational and physical security measures appropriate to the level of risk associated with the processing of your data. Depending on the circumstances, we may use different types of security features: IT security, encryption, pseudonymization, physical security measures or reliable internal rules on the processing of personal data, data access control which is limited only to authorized personnel. We protect your data against accidental loss, modification or unauthorized disclosure to third parties.
13. PERSONAL DATA BREACH
If there is a breach of the protection of your personal data, we will notify you about it, and confirm whether this may actually affect your rights, freedoms or privacy. As a general rule, the law requires us to inform two parties about any personal data breaches: the supervisory authority and you. At the same time, if your privacy or other rights are not at risk (the law explicitly mentions the following cases: the data controller has implemented appropriate technical and organizational security measures and these measures have been applied to the personal data concerned by the breach, and in particular measures such as encryption to prevent unauthorized access to such personal data; the controller has then applied relevant measures to eliminate the likelihood of a high risk of infringement of the rights or freedoms of the data subject) there is no cause for concern and we do not need to inform you separately given these legal provisions. If individual notification of all data subjects about a data breach would require a disproportionate effort, a public notice shall be issued or a similar measure shall be taken by which data subjects shall be informed of the breach in an equally effective manner. In the event of a personal data breach, we will also inform the supervisory authority accordingly without undue delay, unless the breach is unlikely to result in a risk of infringement of the rights or freedoms of natural persons – this exception also results directly from the provisions of the law.
14. A TEMPLATE FORM TO USE IN ORDER TO EXERCISE YOUR RIGHTS
Below you will find a useful form to use in your communication with us enabling you to exercise your rights related to the processing of personal data by our company. There is no obligation to use it, but it will make it easier for us to deal with your case quickly and thoroughly. You can send it to us using contact details of the Data Controller provided earlier. Place: [___], date: [___] To: PHOTON ENTERTAINMENT SP. Z O.O. with its registered office: 15–690 Białystok, Narodowych Sil Zbrojnych 3, Poland.
NIP 9662102678, REGON 36386142000000, KRS 0000605171 Your personal and contact details: (name, surname, address, telephone number, email address): [___]
REQUEST / STATEMENT OF AN INDIVIDUAL WHOSE PERSONAL DATA ARE BEING PROCESSED
The following request applies to: (tick at least one of the boxes or in any other unambiguous way indicate to which rights your request or statement is related): ☐ right to access and receive a copy of personal data; ☐ right to rectification; ☐ right to erasure; ☐ right to restriction of processing.; ☐ right to object to data processing; ☐ right to data portability; ☐ right to withdraw my consent; ☐ other. Please indicate your preferred method of communication (e–mail, post, direct contact): [___] Please provide the exact wording of your request. In particular, we ask you to indicate the specific personal data to which your request is related and, if possible, the circumstances in which we obtained your consent or informed you about the processing of your data. This will make it easier for us to handle and quickly process your case: [___] CAUTION The information shall be provided to you in writing, and if appropriate, by electronic means. If the data subject so requests, information may be provided verbally, provided that the identity of the data subject is confirmed by other means. The Data Controller may refuse to process the data subject request if it is not possible to positively verify identity of the requester. The Data Controller shall, without undue delay – and in any event no longer than within one month of receipt of the request – provide the data subject with information on the action taken in regards to the request. If necessary, this period may be extended by a further two months due to the complexity of the request or the number of requests. Within one month of receipt of the request, the controller shall inform the data subject of any such extension, stating the reasons for the delay. If the data subject requested for information by electronic means, the information shall also be provided electronically, if feasible, unless the data subject requests otherwise. If the controller does not act on the data subject’s request, it shall immediately, and at the latest within one month of receipt of the request, inform the data subject of the reasons for not taking action and of the right to lodge a complaint with the supervisory authority and to seek legal remedies before a court of law. Information provided by the Data Controller, communication, and undertaken actions in connection with the request handling shall be free of charge. If the data subject’s requests are evidently unjustified or excessive, in particular due to their repeated pattern, the Data Controller may charge a reasonable fee for the administrative costs of providing requested information, for the time spent on communication or for taking the requested action, or to refuse to act on the request. If the Data Controller has reasonable doubts as to the identity of the natural person making the request, additional information necessary to verify the identity of the data subject may be requested.