ARTICLE 1 – GENERAL PROVISIONS
- The controller of personal data collected via the website nesperta.pl is Nesperta Europe sp. z o.o., Obornicka 7, 62-002 Jelonek, hereinafter referred to as the “Controller”.
- Personal data are processed by the Controller in accordance with the applicable laws, in particular:
- Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;
- Personal Data Protection Act of 10 May 2018 (complete text: Journal of Laws of 2019, item 1781);
- Act of 14 December 2018 on the Protection of Personal Data Processed in Connection with the Prevention and Combatting of Crime (Journal of Laws of 2019, item 125);
- Act of 18 July 2002 on the Provision of Electronic Services (complete text: Journal of Laws of 2020, item 344);
- Telecommunication Law Act of 16 July 2004 (complete text: Journal of Laws of 2022 item 1648, as amended);
- Consumer Rights Act of 30 May 2014 (complete text: Journal of Laws of 2020, item 287);
- Labour Code Act of 26 June 1974 (complete text: Journal of Laws of 2022 item 1510 as amended);
- Civil Code Act of 23 April 1964 (complete text: Journal of Laws of 2022 item 1360).
- The Controller’s contact person for matters concerning personal data protection is the Data Protection Officer (Michał Labocha), who can be contacted via the e-mail address firstname.lastname@example.org with correspondence and requests regarding the exercise of rights by data subjects.
ARTICLE 2 – PURPOSE, SCOPE, GROUNDS AND PERIOD OF PERSONAL DATA PROCESSING
- The Controller processes personal data in the following cases:
- in order to establish and implement cooperation and answer inquiries (Article 6(1)(f) of the GDPR) and take action at the request of the data subject prior to the conclusion a contract (Article 6(1)(b) GDPR. For this purpose, the administrator processes the following data: given name and surname (where available), position, company name, postal address (if provided), e-mail, telephone number. The data are processed for the period necessary to establish cooperation and conclude a contract.
- for direct marketing its of own products (Article 6(1)(f) of the GDPR), including customer satisfaction and opinion surveys, and sending information by traditional mail, e-mail or telephone (where available). For this purpose, the Controller processes the following data: name and surname (where available), postal address (where available), e-mail address, telephone number, company name – until the objection is raised.
- for purposes of the recruitment process: based on the job application sent, i.e. taking action before concluding a contract as part of exercising rights under the law (legal grounds: Article 6(1)(b) GDPR, in connection with Article 22¹(1) of the Labour Code); when personal data is provided in a broader scope, including the data specified in Article 9(1) GDPR when they are necessary to exercise a right or fulfil an obligation under the law (legal grounds: Article 6(1)(a) and Article 9(2)(a) GDPR, in connection with Article 22¹(4) of the Labour Code); and when consent is given to the process of data for this purpose (legal grounds: Article 6(1)(a) GDPR). The Controller processes personal data in the scope specified in Article 22¹ of the Labour Code, in particular: given name and surname, date of birth, contact details, education, professional qualifications, employment history and other personal data included in the application. Personal data for recruitment purposes will be stored, not longer than 3 months from the end of the recruitment process, unless consent has been given to the processing of personal data for future recruitment purposes. In this case, personal data will be processed for a period of 6 months from the sending of the application to us or until consent to data processing is withdrawn.
- for the purpose of managing messages via the contact form (Article 6(1)(a) GDPR), the Controller processes the following data: given name and surname (where available) and e-mail for the period necessary to formulate replies and perform tasks related to the functioning of the website or until consent is withdrawn.
- for analytical and statistical purposes, for the purpose of improving the provided services and security, including IT security, and for preventing and counteracting fraud (Article 6(1)(f) GDPR), the Controller processes the following data: IP address. These data will be processed for the period necessary to perform the tasks related to the functioning of the website or to clarify any incidents.
- In order to fulfil a legal obligation to which the Controller is subject (Article 6(1)(c) of the GDPR). The Controller processes the following data: given name and surname, company name, e-mail, phone number, address of residence or registered office, delivery address if different from private address or business address, tax ID (NIP), order number and bank account number. The data will be processed for the period specified by the applicable laws.
ARTICLE 3 – DATA RECIPIENTS
- Personal data may be transferred to the following recipients or categories of recipients:
- carriers, forwarders, couriers, postal operators carrying out shipments at the request of the Controller, to the extent necessary to make a delivery;
- The Controller only transfers data when it is necessary to achieve a specific purpose of data processing and only to the extent necessary for such purpose.
- The transfer of data takes place after prior verification of the entity whether it provides sufficient guarantees of a high level of protection of the processed personal data and only on the basis of a contract or other legal instrument permitted by law.
ARTICLE 4 – TRANSFER OF PERSONAL DATA TO OTHER ENTITIES, INCLUDING OUTSIDE THE EUROPEAN ECONOMIC AREA
- The Controller does not transfer the personal data being processed to third parties, except entities processing personal data at the request of the Controller and if such transfer is necessary due to legal regulations (at the request of authorised state authorities), in which case the scope of the provided data will be limited to the data necessary for the purpose of such disclosure.
- Entities with whom the Controller cooperates with your consent (Article 6(1)(a) GDPR), including Google or Meta (Facebook), are based in countries of the European Economic Area (EEA) or Switzerland, which is recognised as a country that ensures an adequate level of personal data protection. Therefore, the level of data protection in these countries is the same as in Poland. In the case of other entities based outside of the EEA, regardless of your consent (Article 49(1)(a) GDPR), the Controller verifies whether these entities ensure appropriate safeguards of a high level of protection of the personal data being processed. These safeguards result, in particular, from the obligation to apply the standard contractual clauses adopted by way of Commission Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, Commission Implementing Decision (EU) 2021/915 of 4 June 2021 on standard contractual clauses between controllers and processors under Article 28(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29(7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council, and taking into account adopted by the European Data Protection Board on 18 June 2021 Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.
ARTICLE 5 – RIGHTS OF THE DATA SUBJECT
- The data subject has the following rights regarding personal data:
- right of access;
- right to rectification;
- right to erasure;
- right to restriction of processing;
- right to data portability;
- right to withdraw consent and object to processing of personal data;
- If you have given consent to the processing of your data, you can withdraw it at any time. Such a withdrawal affects the admissibility of processing your personal data after their transfer. Withdrawing the consent does not affect the lawfulness of processing based on the consent before its withdrawal;
- If the Controller has based the processing of your personal data on the balancing of interests, in particular under Article 6(1)(f) GDPR, you may object to the processing. This is particularly the case when processing is not necessary for the performance of a contract concluded with you, which purpose is referred to in Article 2. When withdrawing consent, you will be asked for the reasons why your personal data should not be processed by the Controller, who will verify the situation and stop or adjust the data processing or indicate important, legitimate reasons based on which it will continue processing;
- You may, of course, object to the processing of your personal data for direct marketing purposes at any time;
- right to lodge a complaint with a supervisory authority if the data subject believes that the processing of their personal data violates the provisions of the GDPR.
- In order to exercise the above-mentioned rights, the Controller should be contacted in writing, via the e-mail address specified in Article 1(2), (4) and Article 7 (3) or using the Contact Form available on the website.
ARTICLE 6 – COOKIES
- Cookies are small pieces of data in the form of text files that are sent by the server and saved on the website visitor’s device (e.g. computer hard drive, smartphone memory card, depending on the device used). They usually contain the name of the website they originate from, storage time on the end device and a unique number, but they may contain personal data in the form of an IP address and a unique device identifier stored in the file.
- Cookies are used for:
- making it possible to use certain features of webpages;
- generating statistics which help us understand how users interact with the webpages, allowing us to improve webpage structure and content, and ensure a more efficient browsing experience;
- adjusting the content of webpages to user preferences. In particular, these files allow us to recognise the user’s device and properly display a webpage that is personalised to their individual needs.
- The Controller may process data contained in the cookies when visitors use a webpage in order to maintain a secure session for the user during their visit. The cookies make it possible to ensure better and more responsive server operation by remembering which server should handle the user’s requests.
- Necessary – to record the “consent” granted on the website in the categories: “Necessary” and “Not required”. Cookielawinfo-checkbox cookies are set by the GDPR Cookie Consent of CookieYes Limited, 3 Warren Yard Warren Park, Wolverton Mill, Milton Keynes, MK12 5NW, United Kingdom. The duration of these files is 1 year.
- Performance – to study visitor behavior and measure its performance and limit the amount of data collected; These files may contain unique identification numbers. _gat cookies are installed by Google for users of Google services in the European Economic Area and Switzerland – Google Ireland Limited – with its registered office at Gordon House, Barrow Street, Dublin 4, Ireland. The duration of _gat files is 1 minute,
- Analytical – to study how visitors use the website, including the number of visitors and their source; These files store information anonymously by assigning a random number. Cookies _ga, _gid, are installed by Google for users of Google services in the European Economic Area and Switzerland – Google Ireland Limited – with its registered office at Gordon House, Barrow Street, Dublin 4, Ireland. The duration of _ga files is 2 years and _gid files are 1 day,
- Functional – to remember the language selected by the user when returning to the site, as well as to obtain information about the language when it is not otherwise available. The pll_language cookie is used by Polylang, owned by WP SYNTEX 28, rue Jean Sébastien Bach, 38090 Villefontaine, France. The duration of these files is 1 year.
- We would also like to point out that each user has the option of specifying how cookies are used by changing their browser settings. In particular, the user can partially restrict or completely disable cookies, but the latter may affect certain functionalities of the website.
Presented below are the cookie settings of the most popular browsers:
- Chrome: Settings > Privacy and security > Site settings,
- Edge: Settings > Site permissions > Cookies and site data,
- Firefox: Options > Privacy and security,
- Safari: Preferences > Privacy.
ARTICLE 7 – PROTECTION OF PERSONAL DATA
- The Controller undertakes to protect the personal data processed in accordance with the applicable laws, not to disclose the data to third parties and to process the data only for the purposes specified above. This does not apply to the disclosure of personal data, as previously indicated, to entities authorised to receive such data on the basis of applicable laws.
- The Controller represents that it will use its best endeavours to ensure a high level of security for the website visitor, and, for this purpose, it uses:
- technical and organisational measures, in particular with regard to the security of personal data processing;
- means of ensuring:
- ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the restoration of the availability of and access to the personal data in a timely manner in the event of a physical or technical incident;
- regular testing, assessment and evaluation of the effectiveness of technical and organisational measures for ensuring the security of the processing.
- Any events affecting the security of information and personal data transmission, including suspected security breaches or disclosure of data to unauthorised persons, must be reported to the Controller at the following e-mail address: email@example.com
ARTICLE 8 – REVISIONS OF THE PRIVATE POLICY
The current version is in effect as of 8 March 2023.