1. GENERAL PROVISIONS
1.2.The controller of the personal data gathered by the www.autodna.com Website is AUTODNA SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ [Ltd.] seated in Łódź (registered office address and service address: ul. Obywatelska 128/152 94-104 Łódź) entered into the Register of Entrepreneurs of the National Court Register (KRS) at KRS no. 0000349742; registry court where company file is kept: District Court of the City of Łódź – Śródmieście in Łódź, 20th Division of the National Court Register; share capital: 50,000.00 PLN; NIP [TAXPAYER ID NO.]: 5492391545; REGON [BUSINESS ID NO.]: 121164104; e-mail: email@example.com, phone number: 48223500128, hereinafter referred to as the “Controller”.
1.3.Personal data in the Website is processed by the Controller in accordance with the provisions of law, in particular the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as “GDPR” or the “GDPR Regulation”. Read the full GDPR Regulation here: http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELEX%3A32016R0679
1.5.The Controller will use their best efforts to protect the interest of the persons whose data is being processed. In particular, the Controller is responsible for, and guarantees that the personal data they have collected is: (1) processed in accordance with the law; (2) gathered for determined, lawful reasons and not processed for any other reasons; (3) correct and matching the purpose for which it is gathered; (4) stored in a way which makes it impossible to identify the persons to whom it belongs, for a period no longer than necessary for the purpose of processing, and (5) processed with the use of appropriate technical or organizational means, in a way which guarantees the appropriate use of personal data, including protection from unlawful processing, accidental loss, damaging or destruction.
1.6.Considering the nature, scope, context and reasons for processing as well as the varied risks of violating the rights or liberties of natural persons, the Controller applies appropriate technical or organizational means to guarantee that the data is processed in accordance with these Regulations, and to be able to prove that this is done. Whenever necessary, these means are reviewed and updated. The Controller uses technical means aimed at protecting the personal data shared by electronic means from interception and modification.
2. DATA PROCESSING: THE BASIS
2.1.The Controller is entitled to process the personal data in cases where (and to the extent in which) at least one of the below conditions is met: (1) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; (2) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (3) processing is necessary for compliance with a legal obligation to which the controller is subject, or (4) processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
3. AIM, BASIS, PERIOD AND SCOPE OF DATA PROCESSING IN THE WEBSITE
3.1.In every case, the aim, basis, period and scope of data processing as well as the recipients of the data processed by the Controller result from the activity which the Service User engages in while using the Website.
3.2.The Controller can process the personal data in the Website for the following purposes, on the following bases, in the following periods and scope:
The data is stored for the period of time necessary to fulfill, cancel or withdraw from an agreement, or until the agreement expires in any other way.
The data is stored for as long as the Controller has legitimate interest in it but not longer than until the end of the period of prescription of the claims towards the data subject due to the economic activity of the Controller. The period of prescription is determined by law, in particular the civil code. For claims related to economic activity, the basis period of prescription is three years, and for sales contracts it is 2 years).
The Controller is not allowed to process data for the purpose of direct marketing if the data subject has successfully expressed that they do not consent to this.
The data is stored until the data subject withdraws their consent for further processing of their personal data for this purpose.
The data is stored for the period required by law, by which the Controller is obliged to maintain the accounting records (that is, 5 years since the beginning of the fiscal year following the fiscal year the data is related to).
The data is stored for as long as the Controller has legitimate interest in it but not longer than until the end of the period of prescription of the claims towards the data subject due to the economic activity of the Controller. The period of prescription is determined by law, in particular the civil code. For claims related to economic activity, the basis period of prescription is three years, and for sales contracts or services )it is 2 years.
processing is necessary for the purposes of the legitimate interests pursued by the controller. In this regard, the data is processed to run and maintain the Website.
processing is necessary for the purposes of the legitimate interests pursued by the controller. In this regard, the data is processed to run the statistics and analyse the Website traffic in order to improve functioning of the Website and increasing the sales.
4. DATA RECIPIENTS IN THE WEBSITE
4.1.In order for the Website to function properly, including the ability of the Controller to deliver the Electronic Services, the Controller needs to cooperate with third parties (such as the software providers). The Controller only cooperates with third parties who process personal data who are able to satisfactorily guarantee that they have applied adequate technical and organizational measures for the data processing to meet the GDPR requirements and to protect the rights of the data subjects.
4.4.Personal Data of the Website Users can be transferred to the following recipient or categories of recipients:
a.subjects that service electronic or card payments. If a Service User decides to pay electronically or with card in the Website, the Controller shares the collected personal data of the Service User to the selected subject that services the above mentioned payments in the Website at the Controller’s request. The personal data is only transferred in the scope required to service the type of payment selected by the Service User
b.provider of the survey service. If a Service User has agreed to share their feedback related to the agreement made, the Controller shares the personal data of the Service User with the selected provider of the survey service that provides surveys of agreements made in the Website at the Controller’s request. The personal data is only transferred in the scope required to allow the Service User to express their opinion via the survey service
e.subjects and partners who publish, advertise or use the Controller’s services in their websites and services. The Controller only shares the collected personal data in the cases and scope resulting from the obligation following the civil law contracts the Controller has entered into
f.subjects and public authorities as required to remedy infringement of the law, fraud and abuse
g.providers of the social media plug-ins, scripts and other similar solutions available in the Website, which allow the browser of the Service User who visits the Website to download content from the providers of the aforementioned plug-ins. These functionalities include, for example, logging in using the login data from a social media service. The personal data of the Service User is shared with these providers for this purpose.
5. PROFILING IN THE WEBSITE
5.2.The Controller can use profiling in the Website for the purpose of direct marketing but the decisions made by the Controller based on this profiling are not related to entering or refusing to enter into an Electronic Service agreement, or enabling the Service User to use the Electronic Services in the Website. Profiling in the Website can result in offering a discount to a given person, sending them the discount code, reminding them of an unfinished purchase, sharing a proposal of a service which may be suited to their needs as per their interests or preferences, proposing better conditions than the standard Website offer, and more. Despite the profiling, it is the person’s decision whether or not to use the discount or better conditions offered in this way, and make a purchase in the Website.
5.3.Profiling in the Website means an automatic analysis or prognosis of the behaviour of the given person in the Website, e.g. by adding a particular service to the basket, viewing a particular service in the Website, or analysing the activity log of the person in the Website. In order to perform such profiling, the Controller needs to have personal data of the given person, in order to provide this person with a discount code, for example.
5.4.The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
6. RIGHTS OF THE DATA SUBJECT
6.1.Right to access, rectify, restrict, erase or transfer: the data subject has the right to request the Controller to provide him or her with access to their personal data, to rectify it, have it erased (“right to be forgotten”), to object to data processing or restrict it, and to have their data transmitted. The detailed conditions of performing the above can be found in art. 15-21 of the GDPR Regulation.
6.2.Right to withdraw consent at any time: the data subject whose data is being processed by the Controller as a result of his or her consent (as per art. 6 par. 1a or art. 9 par. 2a of the GDPR Regulation) has the right to object to processing of personal data concerning him or her at any time. This has no influence on the legitimacy of the data processing as carried out after the consent was given and before it was withdrawn.
6.3.Right to lodge a complaint with a supervisory authority: the data subject whose data is processed by the Controller has the right to lodge a complaint with a supervisory authority as determined in the GDPR Regulation am the Polish law (in particular, the Personal Data Protection Act). The Supervising Authority in Poland is the Polish Data Protection Commissioner.
6.4.Right to object: the data subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on art. 6 par. 1 point e) (public interest or the exercise of official authority vested in the Controller) or f) (legitimate interests pursued by the Controller), including profiling based on those provisions. In such cases, the Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
6.5.Right to object to processing of personal data for direct marketing: where personal data is processed for direct marketing purposes, the data subject has the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
7. WEBSITE COOKIES, OPERATIONAL DATA AND ANALYTICS
7.1. Cookie files (cookies) are small text files sent by the server and stored on the Website User’s hard drive or their smarthpone’s memory card, depending on what device the Website User is using. You can read detailed information regarding Cookies and their history here: https://en.wikipedia.org/wiki/HTTP_cookie.
7.2.There are different types of cookies sent by the Website. They can be divided into types based on the following criteria:
- own cookies (created by the Controller’s Website) and
- third party cookies (created by parties other than the Controller)
- session cookies (deleted when the User logs out of the Website or closes the browser) and
- permanent cookies (stored over a certain period of time which is defined by the parameters of each file, or until they are manually deleted)
- necessary cookies (they enable proper functioning of the Website)
- functional/preference cookies (they allow the Website to adjust to the preferences of the visitor)
- analytics and performance cookies (they gather information regarding the way the Website is used)
- marketing, advertising and social media cookies (they gather information regarding the Website user in order to display targeted advertising to this person, as well as other forms of marketing, including that which is displayed in other websites, i.e. in social media)
7.3.The Controller can process data gathered by the Cookie files when the Users visit the Website for the purposes specified below:
remembering the services added to the basket to place an order (necessary cookies)
remembering data from completed order forms surveys or Website login data (necessary cookies and/or functional/preference cookies)
adjusting the Website content (such as colours, font size, page display) to the individual preferences of the Service User and optimizing the use of the Website (functional/preference cookies)
gathering anonymous statistics regarding the way the Website is used (analytics and performance cookies)
remarketing, that is, inspecting the behaviour of Website visitors via an anonymous analysis of their actions in the Website (such as visiting the same pages repeatedly, using certain keywords, etc.) in order to create their profile and provide them with advertising that is suited to their foreseeable interests, even when they visit other websites within the Google Ireland Ltd. and Facebook Ireland Ltd. advertising networks (marketing, advertising and social media cookies)
7.4.The way in which Cookie files are sent via the Website at the given moment, including their lifetime and provider, can be checked in the following way when using the most popular browsers:
(1) click the padlock icon to the left of the address bar,
(2) open the “Cookie files” tab.
(1) click the shield icon to the left of the address bar,
(2) open the “Permitted” or “Blocked” tab,
(3) click the “Cross-site tracking cookies”, “Tracking social media cookies” or “Content with tracking elements”.
(1) Click the “Tools” menu,
(2) go to the “Internet options” tab,
(3) go to the “General” tab,
(4) go to the “Settings” tab,
(5) click “Display files”
(1) click the padlock icon to the left of the address bar,
(2) open the “Cookie files” tab.
(1) click the “Preferences” menu,
(2) go to the “Privacy” tab,
(3) click “Manage website data”
https://www.cookiemetrix.com/ or: https://www.cookie-checker.com/
7.5.As a standard, most browsers available in the market accepts saving cookies by default. Everyone can determine the conditions of cookie use by adjusting the setting of his or her browser. This means that it is possible to partially (e.g. temporarily) limit, or completely disable, cookie saving. In the latter case, certain Website functionalities may suffer (for example, it may not be possible to complete the order form as the choice of services in different steps of the process will not be carried through to the basket).
7.7.The Controller may use Google Analytics and Universal Analytics delivered by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) in the Website. These services help the Controller gather the statistics and perform website traffic analysis. The collected data is processed using the services mentioned above in order to generate statistics which help manage the Website and analyze the traffic in the Website. The data is aggregated. While using the above services in the Website, the Controller gather such data as sources and means of attracting Website visitors, as well as the behaviour of the Website users, information regarding the devices and browsers used to access the Website, their IP address and domain, geographical and demographical data (age, sex) and interests.
7.8.The user can easily block delivering their Website activity data to Google Analytics. For example, there is a dedicated browser plugin developed Google Ireland Ltd., which can be accessed here: https://tools.google.com/dlpage/gaoptout?hl=pl.
7.9.The Controller may use Facebook Pixel delivered by Facebook Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) in the Website. This service helps the Controller measure the efficiency of advertising, learn the activities performed by Website visitors, and display tailored advertising to them. Detailed information regarding the way in which Facebook Pixel works can be found here: https://www.facebook.com/business/help/742478679120153?helpref=page_content.
7.10.The user can manage the use of Facebook Pixel by adjusting the advertising settings in their Facebook account: https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen.
8. FINAL PROVISIONS