The purpose of this document is to lay down rules relating to the processing of personal data by FPWD sp. z o.o. with its registered office in Kraków (Poland), 10/5 Czysta Street, 31-121 Kraków, entered into the Register of Entrepreneurs of the National Court Register (KRS) kept by the Regional Court in Kraków XI Business Department of the National Court Register under KRS No. 0000796238, Tax ID: 6762568854, Statistical ID: 383961027, share capital in the amount of PLN 30,000.00 (the “FPWD”). This document regulates in particular the following issues:
- legal background of General Data Protection Regulation;
- scope and manner of processing of personal data;
- legal basis for processing of personal data;
- data protection principles;
- retention of personal data;
- data subject’s rights.
LEGAL BACKGROUND OF GENERAL DATA PROTECTION REGULATION
The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, the “GDPR”) have replaced the EU Data Protection Directive 95/46/EC of 1995 and superseded each EU Member States legal regulations regarding the processing of personal data. Its purpose is to protect the rights and freedoms of natural persons (i.e. living individuals) and to ensure that personal data is processed lawfully and safely.
GDPR applies to all data controllers that are established in the EU who process personal data in connection with their activity. GDPR also applies to controllers not established in the EU if they process personal data in order to offer goods and services or monitor the behavior of data subjects who are resident in the EU.
TERMS AND DEFINITIONS
- personal data – means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- data subjects – means all living identifiable individuals whose data is being processed by FPWD; a data subject need not to be an EU resident;
- data controller or controller – means FPWD, who determines the purposes and means of the processing of personal data;
- data processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- personal data breach – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
- data subject consent – means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data;
- third party – means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data;
- supervisory authority – means an independent public authority established by the state to regulate compliance with data protection law by data controllers and data processors and take enforcement action in the case of non-compliance;
- data processor or processor – means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
PERSONAL DATA WE COLLECT
When you visit the website, we automatically collect certain information about your device, including information about your web browser, IP address, time zone, and some of the cookies that are installed on your device. Additionally, as you browse the website, we collect information about the individual web pages or products that you view, what websites or search terms referred you to the website, and information about how you interact with the website. We refer to this automatically-collected information as “Device Information.”
We collect Device Information using the following technologies:
- “Cookies” are data files that are placed on your device or computer and often include an anonymous unique identifier. For more information about cookies, and how to disable cookies, visit http://www.allaboutcookies.org.
- “Log files” track actions occurring on the website, and collect data including your IP address, browser type, Internet service provider, referring/exit pages, and date/time stamps.
- “Web beacons,” “tags,” and “pixels” are electronic files used to record information about how you browse the Website.
When you download a Product and/or App or fill out a form on the website, we collect certain information from you, including your name, surname, e-mail address, industry and role. We refer to this information as “Contact Information”. If the download of the Product and/or App is related to the obligation to pay the price, we also collect and process your bank account number or credit card details, depending on the payment method you chose. Additionally, if you have given additional consent to the contribution of content while using the Product and/or App, we may process your image in order to improve the functioning of the Product and/or App.
When you download a Product or App from the website, we track your clicks – specific elements of the application, such as a link or a button – and the time between them. We refer to this as “App Usage Information.” This App Usage Information is sent to us anonymously and is not tied to your Contact Information or to any other personally-identifiable information.
LEGAL BASIS FOR PROCESSING OF PERSONAL DATA
The legal basis for the processing of your personal data is art. 6 sec. 1 letter a) of the GDPR, if the processing is based on your consent. In this case, personal data will be processed until you withdraw your consent to the processing of personal data or until FPWD no longer needs your personal data – depending on which of these conditions will be fulfilled earlier.
If the processing takes place in connection with a separate contract concluded between us, the legal basis for the processing of your personal data is art. 6 sec. 1 letter b) of the GDPR. In this case, your personal data will be processed until the contract is fully performed, and after this period – until the expiry of the limitation periods for claims resulting from the concluded contract.
HOW DO WE USE YOUR PERSONAL DATA
We use the Contact Information that we collect generally to send you our Products, Apps or news of any updates to them. Additionally, we use this Contact Information to:
- communicate with you;
- screen our download requests for potential risk or fraud; and
- when in line with the preferences you have shared with us, provide you with information or advertising relating to our Products, Apps or Services.
We use the Device Information that we collect to help us screen for potential risk and fraud (in particular, your IP address), and more generally to improve and optimize our website (for example, by generating analytics about how our customers browse and interact with the Website, and to assess the success of our marketing and advertising campaigns).
If you have given additional consent to the contribution of content while using the downloaded Product and/or App, your image may be processed in order to improve the functioning of the downloaded Product and/or App.
SHARING YOUR PERSONAL DATA
The recipients of your personal data may be: (a) public authorities authorized to process personal data under the applicable law; (b) persons and entities with whom FPWD concluded separate data processing agreements.
We also share your personal data with third parties to help us use your personal data as described above. For example, we use Google Analytics to help us understand how our customers use the website. You can read more about how Google uses your personal data here: https://www.google.com/intl/en/policies/privacy/. You can also opt-out of Google Analytics here: https://tools.google.com/dlpage/gaoptout. We use MixPanel for similar purposes. You can read more about their privacy and security policies here: https://mixpanel.com/legal/privacy-overview/.
Finally, we may also share your personal data to comply with applicable laws and regulations, to respond to a subpoena, search warrant or other lawful request for information we receive, or to otherwise protect our rights.
As described above, we use your personal data to provide you with targeted advertisements or marketing communications we believe may be of interest to you. For more information about how targeted advertising works, you can visit the Network Advertising Initiative’s (“NAI”) educational page at: http://www.networkadvertising.org/understanding-online-advertising/how-does-it-work.
You can opt out of targeted advertising by:
- FACEBOOK – https://www.facebook.com/settings/?tab=ads
- GOOGLE – https://www.google.com/settings/ads/anonymous
Additionally, you can opt out of some of these services by visiting the Digital Advertising Alliance’s opt-out portal at: http://optout.aboutads.info/.
Please note that we do not alter our website’s data collection and use practices when we see a “Do Not Track” signal from your browser.
DATA PROTECTION PRINCIPLES
We process the collected personal data in accordance with the following principles:
- personal data must be processed lawfully, fairly and transparently;
- personal data can only be collected for specific, explicit and legitimate purposes; data obtained for specified purposes won’t be used for a purpose that differs from those originally indicated;
- processed personal data must be adequate, relevant and limited to what is necessary for processing; FPWD does not collect personal data that is not strictly necessary for the purpose for which it is obtained; FPWD also ensures that, on an annual basis, all data collection methods are reviewed to ensure that collected data continues to be adequate, relevant and not excessive;
- processed personal data must be accurate and kept up-to-date with every effort to erase or rectify without delay; data that is stored by FPWD must be reviewed and updated as necessary; no data will be kept unless it is reasonable to assume that it is accurate;
- FPWD is responsible for ensuring that all staff are trained in the importance of collecting adequate, relevant, accurate and limited to what is necessary personal data;
- personal data will be kept in a form that the specific data subject can be identified only as long as is necessary for the processing of personal data;
RETENTION OF PERSONAL DATA
- FPWD will not keep personal data in a form that permits identification of data subjects for a longer period than is necessary, in relation to the purposes for which the data was originally collected.
- The storage period for each category of personal data will be set out by FPWD along with the criteria used to determine this period, including any FPWD’s statutory obligations to retain the data.
- Personal data must be disposed of securely in accordance with the GDPR to ensure appropriate data security. Any disposal of data will be done in accordance with FPWD’s secure disposal procedure.
DATA SUBJECT’S RIGHTS
- The data subject has the right to obtain from FPWD confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from FPWD rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from the data subject, any available information as to their source;
- the existence of automated decision-making, including profiling;
- appropriate safeguards related to the transfer of personal data to a third country.
- FPWD shall provide a copy of the personal data being processed at the request of the data subject. For any further copies requested by the data subject, FPWD may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
- The data subject has the right to obtain from FPWD without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.
- The data subject has the right to obtain from FPWD the erasure of personal data concerning him or her without undue delay and FPWD shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent on which the processing is based;
- the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation in EU or Member State law.
- The data subject has the right to obtain from FPWD restriction of processing where one of the following applies:
- the accuracy of the personal data is contested by the data subject, for a period enabling FPWD to verify the accuracy of the personal data;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- FPWD no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
- The data subject has the right to receive the personal data concerning him or her, which he or she has provided to FPWD, in a structured, commonly used and machine-readable format and have the right to transmit those data to another data controller without hindrance from FPWD, where the processing is based on consent and the processing is carried out by automated means. The data subject shall have the right to have the personal data transmitted directly from FPWD to another data controller, where technically feasible.
- The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
- The data subject has the right to lodge a complaint with a supervisory authority or to competent court, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the data subject considers that the processing of personal data relating to him or her infringes the GDPR.
PERSONAL DATA SECURITY
- Personal data must be processed in a manner that ensures an appropriate security.
- All FPWD employees, contractors and advisers are responsible for ensuring that any processed personal data is kept securely and is not under any conditions disclosed to any third party unless that third party has been authorized by FPWD to receive that information and has entered into a confidentiality agreement.
- All personal data processed by FPWD should be accessible only to those FPWD employees, contractors and advisers who have a need to know and have special authorization.
LIABILITIES UNDER THE GDPR
- Under the GDPR, FPWD is considered to be a data controller who is responsible for lawful processing of personal data, especially for compliance with the provisions of the GDPR.
- All employees and contractors at the managerial level who process personal data on behalf of FPWD are liable for compliance with the provisions of the GDPR, as well as for supervising the compliance with the provisions of the GDPR by other FPWD’s employees and contractors.
- No third party may process personal data processed by FPWD without concluding a separate data processing agreement.
- Processing of personal data by a processor shall be governed by a data processing agreement that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of both parties.
- The processor shall not engage another processor without prior, written authorization of FPWD.