ARTICLE 1 GENERAL PROVISIONS

  1. This Privacy Policy contains a set of rules regarding the processing and protection of personal data in connection with the use of the website nesperta.pl, including the grounds, purposes and scope of the processing of personal data and the rights of data subjects as well as information on the use of cookies and analytical tools on the website.
  2. The controller of personal data collected via the website nesperta.pl is Nesperta sp. z o.o., with its registered office in Poznań, 60-149, ul. Jugosłowiańska 43, hereinafter referred to as the “Controller”.
  3. Personal data are processed by the Controller in accordance with the applicable laws, in particular:
    1. Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;
    2. Personal Data Protection Act of 10 May 2018 (complete text: Journal of Laws of 2019, item 1781);
    3. Act of 14 December 2018 on the Protection of Personal Data Processed in Connection with the Prevention and Combatting of Crime (Journal of Laws of 2019, item 125);
    4. Act of 18 July 2002 on the Provision of Electronic Services (complete text: Journal of Laws of 2020, item 344);
    5. Telecommunication Law Act of 16 July 2004 (complete text: Journal of Laws of 2019, item 2460, as amended);
    6. Consumer Rights Act of 30 May 2014 (complete text: Journal of Laws of 2020, item 287);
    7. LabourCode Act of 26 June 1974 (complete text: Journal of Laws of 2020, item 1320);
    8. Civil Code Act of 23 April 1964 (complete text: Journal of Laws of 2020, item 1740).
  4. The Controller’s contact person for matters concerning personal data protection is the Data Protection Officer (Michał Labocha), who can be contacted via the e-mail address iod@nesperta.com with correspondence and requests regarding the exercise of rights by data subjects.

ARTICLE 2 PURPOSE, SCOPE, GROUNDS AND PERIOD OF PERSONAL DATA PROCESSING

  1. The Controller processes personal data in the following cases:
    1. In order to establish cooperation, i.e. answer enquiries (Article 6(1)(f) GDPR) and take action at the request of the data subject prior to the conclusion of a contract (Article 6(1)(b) GDPR). For this purpose, the Controller processes the following data: given name and surname (where available), position, company name, postal address (where available), e-mail, phone number. Data are processed for the period necessary to establish cooperation and conclude a contract.
    2. For marketing its own products (Article 6(1)(f) GDPR), including marketing communication by post, e-mail and phone. For this purpose, the Controller processes the following data: given name and surname (where available), postal address (where available), e-mail, phone number, company name – until objection is raised.
    3. For purposes of the recruitment process: based on the job application sent, i.e. taking action before concluding a contract as part of exercising rights under the law (legal grounds: Article 6(1)(b) GDPR, in connection with Article 22¹(1) of the Labour Code); when persona data is provided in a broader scope, including the data specified in Article 9(1) GDPR when they are necessary to exercise a right or fulfil an obligation under the law (legal grounds: Article 6(1)(a) and Article 9(2)(a) GDPR, in connection with Article 22¹(4) of the Labour Code); and when consent is given to the process of data for this purpose (legal grounds: Article 6(1)(a) GDPR). The Controller processes personal data in the scope specified in Article 22¹ of the Labour Code, in particular: given name and surname, date of birth, contact details, education, professional qualifications, employment history and other personal data included in the application. Personal data for recruitment purposes will be stored, not longer than 3 months from the end of the recruitment process, unless consent has been given to the processing of personal data for future recruitment purposes. In this case, personal data will be processed for a period of 6 months from the sending of the application to us or until consent to data processing is withdrawn.
    4. For the purpose of managing messages via the contact form (Article 6(1)(a) GDPR), the Controller processes the following data: given name and surname (where available) and e-mail for the period necessary to formulate replies and perform tasks related to the functioning of the website or until consent is withdrawn.
    5. For analytical and statistical purposes, for the purpose of improving the provided services and security, including IT security, and for preventing and counteracting fraud (Article 6(1)(f) GDPR), the Controller processes the following data: IP address. These data will be processed for the period necessary to perform the tasks related to the functioning of the website or to clarify any incidents.
    6. In order to fulfil a legal obligation to which the Controller is subject (Article 6(1)(c) of the GDPR). The Controller processes the following data: given name and surname, company name, e-mail, phone number, address of residence or registered office, delivery address if different from private address or business address, tax ID (NIP), order number and bank account number. The data will be processed for the period specified by the applicable laws.

ARTICLE 3 DATA RECIPIENTS

  1. Personal data may be transferred to the following recipients or categories of recipients:
    1. carriers, forwarders, couriers, postal operators carrying out shipments at the request of the Controller, to the extent necessary to make a delivery;
    2. providers of services supplying the Controller with technical, IT and organisational solutions enabling the Controller to conduct business activity and provide electronic services (in particular, computer software suppliers, e-mail and hosting providers as well as software suppliers for company management and providing technical assistance to the Controller). The Controller provides personal data only if and to the extent necessary for a specific purpose of data processing in compliance with the Privacy Policy;
    3. suppliers of accounting, legal and advisory services providing the Controller with accounting, legal or advisory support (in particular, accounting, legal or debt collection firms). The Controller provides personal data only if and to the extent necessary for a specific purpose of data processing in compliance with the Privacy Policy.
  2. The transfer of personal data by the Controller each time requires the existence of at least one of the grounds indicated in the Privacy Policy. The Controller only transfers data when it is necessary to achieve a specific purpose of data processing and only to the extent necessary for such purpose.

ARTICLE 4 TRANSFER OF PERSONAL DATA TO OTHER ENTITIES, INCLUDING OUTSIDE THE EUROPEAN ECONOMIC AREA

  1. The Controller does not transfer the personal data being processed to third parties, except entities processing personal data at the request of the Controller and if such transfer is necessary due to legal regulations (at the request of authorised state authorities), in which case the scope of the provided data will be limited to the data necessary for the purpose of such disclosure.
  2. Entities with whom the Controller cooperates with your consent (Article 6(1)(a) GDPR), including Google or Facebook, are based in countries of the European Economic Area (EEA) or Switzerland, which is recognised as a country that ensures an adequate level of personal data protection. Therefore, the level of data protection in these countries is the same as in Poland. In the case of other entities based outside of the EEA, regardless of your consent (Article 49(1)(a) GDPR), the Controller verifies whether these entities ensure appropriate safeguards of a high level of protection of the personal data being processed. These safeguards result, in particular, from the obligation to apply the standard contractual clauses adopted by way of Commission Decision 2010/87/EC of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (notified under document C(2010) 593).

Article 5 RIGHTS OF THE DATA SUBJECT

  1. The data subject has the following rights regarding personal data:
    1. right of access;
    2. right to rectification;
    3. right to erasure;
    4. right to restriction of processing;
    5. right to data portability;
    6. right to withdraw consent and object to processing of personal data;
      • If you have given consent to the processing of your data, you can withdraw it at any time. Such a withdrawal affects the admissibility of processing your personal data after their transfer. Withdrawing the consent does not affect the lawfulness of processing based on the consent before its withdrawal;
      • If the Controller has based the processing of your personal data on the balancing of interests, in particular under Article 6(1)(f) GDPR, you may object to the processing. This is particularly the case when processing is not necessary for the performance of a contract concluded with you, which purpose is referred to in Article 2. When withdrawing consent, you will be asked for the reasons why your personal data should not be processed by the Controller, who will verify the situation and stop or adjust the data processing or indicate important, legitimate reasons based on which it will continue processing;
      • You may, of course, object to the processing of your personal data for direct marketing purposes at any time;
    7. right to lodge a complaint with a supervisory authority if the data subject believes that the processing of their personal data violates the provisions of the GDPR.
  2. In order to exercise the above-mentioned rights, the Controller should be contacted in writing, via the e-mail address specified in Article 1(2) or using the Contact Form available on the website.

ARTICLE 6 COOKIES

  1. Cookies are small pieces of data in the form of text files that are sent by the server and saved on the website visitor’s device (e.g. computer hard drive, smartphone memory card, depending on the device used). They usually contain the name of the website they originate from, storage time on the end device and a unique number, but they may contain personal data in the form of an IP address and a unique device identifier stored in the file.
  2. Cookies are used for:
    1. making it possible to use certain features of webpages;
    2. generating statistics which help us understand how users interact with the webpages, allowing us to improve webpage structure and content, and ensure a more efficient browsing experience;
    3. adjusting the content of webpages to user preferences. In particular, these files allow us to recognise the user’s device and properly display a webpage that is personalised to their individual needs.
  3. The Controller may process data contained in the cookies when visitors use a webpage in order to maintain a secure session for the user during their visit. The cookies make it possible to ensure better and more responsive server operation by remembering which server should handle the user’s requests.
  4. The cookies used on the website are session cookies, which are deleted once the browser window is closed.
  5. We would also like to point out that each user has the option of specifying how cookies are used by changing their browser settings. In particular, the user can partially restrict or completely disable cookies, but the latter may affect certain functionalities of the website.
    • Presented below are the cookie settings of the most popular browsers:
    • Chrome: Settings > Privacy and security > Site settings,
    • Edge: Settings > Site permissions > Cookies and site data,
    • Firefox: Options > Privacy and security,
    • Safari: Preferences > Privacy.

ARTICLE 7 PROTECTION OF PERSONAL DATA

  1. The Controller undertakes to protect the personal data processed in accordance with the applicable laws, not to disclose the data to third parties and to process the data only for the purposes specified above. This does not apply to the disclosure of personal data, as previously indicated, to entities authorised to receive such data on the basis of applicable laws.
  2. The Controller represents that it will use its best endeavours to ensure a high level of security for the website visitor, and, for this purpose, it uses:
    1. technical and organisational measures, in particular with regard to the security of personal data processing;
    2. means of ensuring:
      1. ongoing confidentiality, integrity, availability and resilience of processing systems and services;
      2. the restoration of the availability of and access to the personal data in a timely manner in the event of a physical or technical incident;
      3. regular testing, assessment and evaluation of the effectiveness of technical and organisational measures for ensuring the security of the processing.
    3. Any events affecting the security of information and personal data transmission, including suspected security breaches or disclosure of data to unauthorised persons, must be reported to the Controller at the following e-mail address: iod@nesperta.com

ARTICLE 8 REVISIONS OF THE PRIVATE POLICY

In response to changes in technology and legislation, including laws governing privacy protection and online business, the Controller may revise the Privacy Policy, which will be published on its website with a new date.
The current version is in effect as of 24 February 2021.