Personal data collected by the Administrator of the Internet Service are processed in accordance with the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27/04/2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, p. 1), (hereinafter: the GDPR).
The Administrator of the Internet Service takes the utmost care to protect the privacy and the information provided thereto and related to users of the Internet Service. The Administrator selects and applies appropriate technical measures, including programming and organizational measures, to ensure the protection of personal data being processed, in particular, to secure the data against access by unauthorized entities, disclosure, loss and destruction, unauthorized modification, as well as illegal processing.
The Services available on the web page are not addressed to children under 16 years of age. The Personal Data Controller does not plan to intentionally collect data on children under 16 years of age.
Personal Data Controller
Your Personal Data Controller is:
Andrzej Nedoma Inwestycje i Doradztwo
- Emaus 4/4,
30-201 Kraków, Poland
You may contact the Personal Data Controller in matters related to your personal data by:
- electronic mail: email@example.com;
- traditional mail: ul.Emaus 4/4, (ZIP CODE) 30-201 Kraków, Poland.
The Purpose and the Legal Basis for Personal Data Processing
The Personal Data Controller processes your personal data for the following purposes and in the following scope:
- to take action before concluding the contract at your request (i.e. to create your account), that is data provided in the registration form on the Internet Service, i.e. e-mail address, name and family name, telephone number; to provide Services which require the creation of the Account, we process your data specified in the Account, including data on implemented services and paid services;
- to provide services which do not require that you create the Account, that is to browse the website of the Internet Services, use chat or other Services and to contact in relation with the use of the contact form, we process personal data related to your activity in the Internet Service, in other words, information about the content you browse, data on sessions of your device, operating system, browser, location, unique ID, IP address;
- to perform the provision of Services Contract and allow to use functionalities that require the creation of an account, i.e. ordering online training, delivery of online training, payment for online training and other services, users communications, we process personal data provided by you and through forms as well as data regarding your activity on the Internet Service, i.e. data concerning the Services you are viewing, as well as session data, your device, and operating system, browser, location, and a unique ID. The provision of some data is a prerequisite for using certain Services and account functionality (mandatory data). Our system automatically marks mandatory data. As a consequence of your failure to provide such data, we will not be able to provide certain services and functionalities of the Account. Contrary to data marked as mandatory, providing other personal data is voluntary;
- to conduct statistics of the usage of particular functionalities available on the Internet Service, to facilitate the use of the Internet Service and to ensure IT security of the Internet Service, we process personal data regarding your activity on the Internet Service and the amount of time spent on each of the subpages on the Internet Service, your search history, location, IP address, device ID, data regarding your internet browser and operating system;
- to determine, investigate and enforce claims and defend against claims in court proceedings and before other enforcement authorities, we may process your personal data provided upon registration on the Internet Service (Account creation), ordering services and other data which may be necessary to prove the existence of the claim or which result from the legal requirement, court order or other legal procedure;
- to resolve complaints, claims, and requests and to answer users requests, we process the personal data provided by you in complaints, claims, and requests, or to answer questions in another form, as well as data on the Services we provide that are the reason for the complaint, claim or request, and the data included in documents attached to complaints, claims and requests;
- for market research and opinion polling by us or our partners, i.e. information about services, your data provided when using the services, e-mail address. We do not use data collected under market research and opinion polls for advertising purposes. The exact guidelines are included in the information about a given survey or in a place of your data entering;
- for the marketing of our Services and services of our partners, including remarketing, we process personal data provided by you on the creation of your Account and its updates, data about your activity on the Internet Service including activity recorded and stored via cookies, in particular the history of activity, ordered services, search history, clicks on the Internet Service, history and your activity related to our communication with you. For remarketing, we use data about your activity in order to reach you with our marketing messages outside of the Internet Service, and for this purpose, we use the services of external suppliers. These are based on displaying our messages on web pages other than within the Internet Service. Further details are available in provisions regarding Cookies.
Categories of Personal Data Concerned
The Personal Data Controller processes the following categories of personal data concerned:
- contact details;
- data entered in the account;
- data regarding ordered Services on the Internet Service;
- data regarding providing Services to the user, including obligatory data to implement Service:
- data regarding activity on the Internet Service;
- data regarding complaints, claims, and requests;
- data on marketing services.
Voluntary Personal Data
Providing the required personal data is voluntary and is a necessary condition for the provision of services by the Personal Data Controller via the Internet Service.
Data Processing Time
Personal data will be processed for the period necessary to execute services, carry out marketing activities, and provide other services for the user. Personal data will be removed in the following cases:
- when the data subject asks for their removal or withdraws his/her consent;
- when the data subject does not take action for more than 10 years (inactive contact);
- after receiving information that the stored data are out of date or inaccurate.
Some data, including e-mail address, name, and surname, may be stored for the next 3 years for evidence purposes, for consideration of complaints and claims related to services provided by the Internet Service – these data will not be used for marketing purposes.
Data regarding orders for paid services, competitions, and loyalty programs will be kept for 5 years from the end of the calendar year in which the tax payment deadline expired.
Data regarding non-logged users are stored for a period of time corresponding to the lifecycle of cookies stored on the devices or until they are deleted by the user on the user’s device.
Your personal data regarding preferences, behaviors, and selection of marketing content may be used as a basis for making automatic decisions to determine the sales possibilities of the Internet Service.
Personal Data Recipients
We transfer your personal data to the following categories of recipients:
- state authorities, e.g. prosecutor’s office, Police, President of the Office of Personal Data Protection, President of the Office of Competition and Consumer Protection, if they request so,
- service providers that we use to run the Internet Service, e.g. to execute an order. Depending on contractual arrangements and circumstances, these entities act on our behalf or define the purposes and methods of data processing by themselves. The list of suppliers is available on our Web page under the following link: xtrf.eu/privacy-policy/suppliers/.
Rights of the Data Subject
Based on the GDPR, you have the right to:
- request access to your personal data;
- request rectification of your personal data;
- request erasure of your personal data;
- request restriction of personal data processing;
- object to the processing of personal data;
- request portability of personal data.
Personal Data Controller will provide you, without undue delay – and in any case within one month of receiving the request, with information about actions taken in connection with your request.
Before mentioned one month period may be extended by two further months where necessary, taking into account the complexity and number of the requests.
In any event, the Personal Data Controller will inform you of such an extension within one month of receiving the request, giving the reasons for the delay.
The Right of Access to Personal Data (Article 15 of the GDPR)
You have the right to obtain from the Personal Data Controller confirmation as to whether your personal data are being processed.
If the Controller is processing your personal data, you have the right to:
- acquire access to personal data;
- obtain information about the purposes of the processing, categories of personal data being processed, data recipients or categories of recipients, the envisaged period for which the personal data will be stored or the criteria used to determine that period,
- obtain information about your rights under the GDPR and the right to lodge a complaint with the supervisory authority, about the data source, automated decision-making, including profiling, and security measures used in connection with the transfer of these data outside the European Union;
- obtain a copy of your personal data.
If you want to request access to your personal data, please submit your request to firstname.lastname@example.org.
The Right to Erasure of Personal Data, So-called “Right to Be Forgotten” (Article 17 of the GDPR)
You have the right to request the Personal Data Controller to erase your personal data when:
- your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- you have withdrawn your specific consent to the extent to which personal data were processed based on your consent;
- your personal data have been unlawfully processed;
- you have objected to the processing of your personal data for the purpose of direct marketing, including profiling, to the extent to which the processing of personal data is related to direct marketing;
- you have objected to the processing of your personal data in connection with the processing necessary to perform the task carried out in the public interest or processing necessary for purposes arising from legitimate interests pursued by the Personal Data Controller or a third party.
Despite submitting a request to erase personal data, the Personal Data Controller may process your data further for the establishment, exercise, or defense of legal claims, about which you will be informed.
If you want to request the erasure of your personal data, please submit your request to email@example.com.
The Right to Submit a Request to Restrict the Processing of Personal Data(Article 18 of the GDPR)
You have the right to request the restriction of your personal data processing when:
- you contest the accuracy of your personal data – the Personal Data Controller will restrict the processing of your personal data for a period allowing to verify data accuracy;
- the processing of your personal data is unlawful, but you oppose their erasure and request the restriction of their use instead;
- your personal data are no longer needed for the purposes of the processing, but they are required for the establishment, exercise or defense of your legal claims;
- you have objected to the processing of your personal data – pending the verification whether the legitimate grounds of the Controller override your grounds mentioned in your objection.
If you want to request the restriction of your personal data processing, please submit your request to firstname.lastname@example.org.
The Right to Object to Personal Data Processing (Article 21 of the GDPR)
You have the right to object at any time to the processing of your personal data, including profiling, in connection with:
- the processing necessary to perform the task carried out in the public interest or processing necessary for purposes arising from legitimate interests pursued by the Personal Data Controller or a third party;
- processing for direct marketing purposes.
If you want to object to the processing of your personal data, please submit your objection to email@example.com.
The Right to Request the Personal Data Portability(Article 20 of the GDPR)
You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit them to another personal data controller.
You may also request the Personal Data Controller to transmit your personal data directly to another controller (where technically possible).
If you want to request the personal data portability, please submit your request to firstname.lastname@example.org.
The Right to Withdraw Consent
You may withdraw your consent to the processing of your personal data at any time.
Withdrawal of consent to the processing of personal data does not affect the legality of the processing based on your consent before its withdrawal.
If you want to withdraw your consent to the processing of your personal data, please submit your request to email@example.com or use appropriate functionalities in the Account.
Complaint to the Supervisory Authority
If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with the supervisory authority, in particular in the Member State of your habitual residence, your place of work, or place of the alleged infringement.
In Poland, the President of the Personal Data Protection Authority is the supervisory authority within the meaning of the GDPR.