- Controller – Żabka Polska sp. z o.o., with its registered seat in Poznań, ul. Stanisława Matyi 8, 61-586 Poznań, entered in the Register of Business Entities maintained by the District Court for Poznań – Nowe Miasto i Wilda in Poznań, VIII Commercial Division of the National Court Register, under KRS No.: 0000636642, NIP: 5223071241, REGON: 36538839800000, having a share capital of PLN 113,215,000.00.
- Personal Data – means any information relating to an identified or identifiable natural person who can be identified by reference to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, including the IP of a device, location data, Internet identifier and information collected through cookies and other similar technology.
- GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal data and on the free movement of such data, and repealing Directive 95/46/EC.
- Service – internet service operated by the Controller at: https://raportodpowiedzialnosci.zabka.pl/.
- User – each natural person visiting the Service or using one or several of the services or functionalities described in the Policy.
2. PROCESSING OF DATA IN CONNECTION WITH THE USE OF THE SERVICE
- In connection with the use of the Service by the User, the Controller shall collect data within the scope necessary for the rendering of the specific services on offer as well as the information about the User’s activities in the Services. Below please find the detailed rules for and the objectives of the processing of Personal Data collected during the use of the Service by the User.
3. PROCESSING OF DATA IN CONNECTION WITH THE USE OF THE SERVICPURPOSE AND LEGAL GROUNDS FOR THE PROCESSING OF DATA IN THE SERVICEE
USE OF THE SERVICE
- The Personal data of all the persons using the Service (including the IP address and other identifiers and information collected through cookies or other similar technologies) shall be processed by the Controller:
- for the rendering of services electronically in terms of providing Users the content of the Service – such processing is necessary for the performance of a contract (Article 6(1)(b) of the GDPR);
- for analytical and statistical purposes – the processing is based on the legitimate interests pursued by the Controller (Article 6(1)(f) of the GDPR), i.e. conducting analyses of the activities of Users as well as their preferences to improve the applied functionalities and services rendered;
- for the establishment, if any, and pursuit of claims or defence against claims – the processing is based on the legitimate interests pursued by the Controller (Article 6(1)(f) of the GDPR), represented by the protection of its rights;
- for the marketing purposes of the Controller and other entities, specifically related to the presentation of behavioural advertising – the rules of processing Personal data for marketing purposes have been described in the MARKETING section.
- User activity in the Service, including its Personal data, is registered in system logs (special computer software used for storing the chronological record with information about events and actions which relate to the IT system used by the Controller to render services). The information collected in the logs is processed predominantly for purposes related to the rendering of services. The Controller processes information also for technical and administrative purposes to ensure the safety of the IT system and to manage such system, and also for analytical and statistical purposes – in this respect, the processing is necessary for the purposes of the legitimate interests of the Controller (Article 6(1)(f) of the GDPR).
- The Controller processes the Personal data of Users for the purposes of conducting marketing activities, which may involve:
- presenting the User with marketing content which is adjusted to such User’s preferences (contextual advertising);
- presenting the User with marketing content corresponding to such User’s interests (behavioural advertising).
- For the purposes of some marketing actions, in some circumstances, the Controller employs profiling. It means that thanks to automatic data processing, the Controller makes an assessment of selected factors concerning Users to analyse their behaviour or to create a forecast. It enables the presented content to be better adjusted to the User’s individual preferences and interests.
- The Controller processes the Personal data of users for marketing purposes in connection with presenting Users with contextual advertising (i.e. advertising which is not adjusted to User’s preferences)). In such case, Personal data is processed for the purposes of the legitimate interests of the Controller (Article 6(1)(f) of the GDPR).
- The Controller and its trusted partners process the User’s Personal data, including the Personal data collected through cookies and other similar technologies, for marketing purposes in connection with presenting Users with behavioural advertising (i.e. advertising adjusted to User preferences). In such case, the processing of personal data includes User profiling.
- For a list of trusted partners of the Controller, please see the following.
5. SOCIAL MEDIA
- The Controller processes the Personal data of Users visiting the Controller’s profiles maintained on social networks (Facebook, YouTube, Instagram, LinkedIn). Such data is processed exclusively in connection with maintaining the profile, including informing the Users about the activities of the Controller and promoting various types of events, services and products. The legal basis for the processing of Personal Data by the Controller for this purpose is the legitimate interests of the Controller (Article 6(1)(f) of the GDPR) involving the promotion of its own brand.
6. COOKIES AND SIMILAR TECHNOLOGY
- Below please find detailed information concerning the cookies used by the Controller in the Services. The Controller uses the following files: required, functional, analytical and advertising.
- The Controller’s use of the required cookies is necessary for the proper functioning of the website. Such files are installed specifically for the purposes of recalling login sessions or the filling in of questionnaires, and for the purposes of setting privacy options.
- The legal basis for the processing of data in connection with the application of the required cookies is the necessity of processing for the purposes of performance of a contract (Article 6(1)((b) of the GDPR).
- If the User wishes to obtain more information on the specific cookies in this category, i.e. the names of specific cookies, an overview of the functioning thereof, or the validity or origin thereof, he should click on the button available in the footer of each subpage of the Service. After the cookie’s banner is displayed, he should click on “Manage cookies” and then display the “Required cookies” list and the “Details” button below.
FUNCTIONAL AND ANALYTICAL COOKIES
- Functional cookies are used for remembering and adjusting the Service to User preferences, inter alia, in terms of language preferences. Functional cookies may be installed by the Controller and its partners through the Service.
- Analytical cookies enable the obtaining of information such as the number of visits and the sources of movement in the Services. They are used to establish which pages are more and which are less popular and to understand how the Users navigate the page by collecting statistical data concerning movement in the Services. The data is processed to improve the efficiency of the Service. The information collected by cookies is aggregated and thus their purpose is not to determine a User’s identity. Analytical cookies may be installed by the Controller and its partners through the Service.
- The legal basis for the processing of Personal data in connection with the use of functional and analytical cookies by the Controller are its legitimate interests (Article 6(1)(f) of the GDPR), involving ensuring the highest standard of services rendered in the Service in connection with the User’s consent for the registration of such cookies (separately for analytical files and separately for functional files).
- The processing of Personal data in connection with the use of functional and analytical cookies depends on securing the User’s consent for the use of (separately) the functional and analytical cookies through the platform for managing consents for cookies. The consent may be withdrawn at any time through that platform.
- If the User wishes to obtain more information about the specific files of those categories, i.e. the names of the specific cookies, an overview of the functioning, or the validity or origin thereof, please click on the button available in the footer of each subpage of the Service. After the cookie’s banner is displayed, please click on “Manage cookies” and then display the “Analytical cookies” or “Functional cookies” list, and then on the “Details” button under each of the lists.
- Advertising cookies enable the adjustment of the presented advertising content to Users’ interests within the scope of the Service as well as outside the Service. A User’s interest profile is developed based on the information collected in such cookies and the User’s activity in other services. Advertising cookies may be installed by the Controller and its partners through the Service.
- The legal basis for the processing of Personal data in connection with the use of the advertising cookies by the Controller is its legitimate interests, (Article 6(1)(f) of the GDPR), involving the promotion of the Controller’s brand and providing information about the Controller’s current offering, including by presenting Service Users with marketing information corresponding to their interests based on such Users’ consent for the registration of advertising cookies.
- The Personal data related to the use of advertising cookies may be processed after obtaining the User’s consent for applying the consent through the consent management platform. The consent may be withdrawn at any time through such platform.
- If the User wishes to obtain more information about the specific files of this category, i.e. the names of the specific cookies, the overview of the functioning, or the validity or origin thereof, he should click on the button available in the footer of each subpage of the Service. After the cookie’s banner is displayed, he should click on “Manage cookies” and then display the “Advertising cookies” list, and then on the “Details” button below.
7. ANALYTICAL AND MARKETING TOOLS APPLIED BY THE CONTROLLER’S PARTNERS
- The current list of Trusted Partners is available here.
- Cookies of Google Analytics are files used by Google to analyse the Users’ ways of using the Service, to create statistics and reports concerning the functioning of the Service. Google does not use the collected data for User identification and does not combine such information to allow identification. The detailed information about the scope and the terms of collecting data in connection with such services is available at: https://www.google.com/intl/pl/policies/privacy/partners.
- Google Ads is a tool allowing to measure effectiveness of advertising campaigns conducted by the Controller that allow to analyse such data as, for example, key words or the number of unique users. The Google Ads Platform allows also to show our ads to persons who visited the Service in the past. Information on the processing of data by Google within the scope of such services is available at: https://policies.google.com/technologies/ads?hl=pl.
- Facebook Pixels is a tool for measuring the effectiveness of advertising campaigns conducted by the Controller on Facebook. The tool allows for advanced analysis of data to optimise the actions of the Controller including with the use of other tools offered by Facebook. For detailed information concerning the processing of data by Facebook please see: https://pl-pl.facebook.com/help/443357099140264?helpref=about_content.
- The Service uses social network plugins (Facebook, Google+, LinkedIn). The plugins allow the User to share content published in the Service on chosen social network. The use of plugins in the Service result in the given social network obtaining information about the use of the Service by a given User and may allocate them to the User profile created in the given social network. The Controller is not aware of the purpose and scope of collecting data by social networks. For detailed information on that subject please see:
8. MANAGING COOKIE PREFERENCES
- Consent is not required only in the case of cookies which must be applied to render any telecommunication services (data transmission for the purposes of displaying content) – the User does not have the option of disabling such cookies if he wishes to continue to use the Service.
- In order to receive advertising adjusted to User preferences, besides consenting to the installation of cookies through the cookies consent management platform, it is necessary to maintain relevant preferences for the Internet browser enabling the storing of cookies originating from the Service on the User’s end device.
- Consent for the collection of cookies in the Services may be withdrawn through the cookies consent management platform. The User may go back to the banner by clicking on the button available in the footnote of each subpage of the Service.
- After clicking on the banner, the User may withdraw consent by clicking on the “MANAGE COOKIES” button. Subsequently it is necessary to uncheck the box in the relevant category of cookies and click on “SAVE PREFERENCES AND CLOSE”.
- Internet Explorer: https://support.microsoft.com/pl-pl/help/17442/windows-internet-explorer-delete-manage-cookies
- Mozilla Firefox: http://support.mozilla.org/pl/kb/ciasteczka
- Google Chrome: http://support.google.com/chrome/bin/answer.py?hl=pl&answer=95647
- Opera: http://help.opera.com/Windows/12.10/pl/cookies.html
- Safari: https://support.apple.com/kb/PH5042?locale=en-GB
- The User may verify the status of his current privacy setting for the given Internet browser using the tools available at the following links:
9. TIME OF PROCESSING PERSONAL DATA
- The period of processing of personal data by the Controller depends on the type of services rendered and the purpose of processing. In principle, data is processed throughout the time of rendering of services or performance of an order, or submission of an effective objection against the processing of data in cases where the legal basis for the processing of the data is the legitimate interests of the Controller.
- The duration of the processing of the data may be extended if the processing is required to establish and to enforce any claims or to defend oneself against any claims, and after such time, only in the event that and to the extent that it is required by law. After the lapse of the processing period, the data is irrevocably deleted or anonymised.
10. USER’S RIGHTS
- The User shall enjoy the following rights:
- the right to information about the processing of personal data – on this basis, the Controller provides a natural person making a request, information about the processing of data, including specifically the purposes and legal bases for the processing, the scope of the received data, the subjects to which it is disclosed, and the planned deadline for erasing the data;
- the right to receive a copy of the data – on this basis, the Controller provides a copy of the processed data concerning a natural person submitting the request;
- right to rectification – the Controller is required to eliminate any inconsistencies or errors in the processed Personal data or supplement it if it is incomplete;
- the right to erase the data – on this basis, one may demand erasure of the data, the processing of which is no longer necessary for the achievement of one of the purposes for which it was collected;
- the right to restrict processing – if such request is made, the Controller discontinues any operations on Personal data, except for operations which were consented to by the data subject and the storage of such data, in accordance with the adopted rules of retention or until the discontinuance of the grounds for the restriction of data processing (e.g. a decision of the supervisory authority is issued which allows for further processing of data);
- right to data portability – on this basis, to the extent that such data is processed in an automated manner in connection with the conclusion of a contract or granted consent, the Controller shall release the data provided by the data subject in a machine-readable format. It is also possible to demand that such data be sent to another entity, however on condition that there are technical means available, both on the side of the Controller and of the designated entity;
- right to object – the User may object to the processing of data for marketing purposes if the processing is conducted in connection with the legitimate interests of the Controller, and for reasons related to the specific circumstances of the User; otherwise, if the legal basis for the processing of data is the legitimate interests of the Controller (e.g. in connection with the achievement of analytical and statistical objectives);
- the right to withdraw consent – if data is processed on the basis of granted consent, the User has the right to withdraw it at any time, which, however, shall not impact the compliance with the law of the processing conducted prior to such withdrawal;
- right to submit a complaint – if it is established that the processing of Personal data is in breach of the GDPR or other Personal data protection regulations, the User may submit a complaint to the authority supervising the processing of Personal data that is competent with respect to the ordinary place of stay of the data subject, his or her place of work, or the place of committing the alleged breach. In Poland, the supervisory authority is the President of the Personal Data Protection Office.
11. DATA RECIPIENTS
- In connection with the performance of the services, Personal data will be disclosed to third parties, including specifically to suppliers responsible for the servicing of IT systems, marketing and advertising agencies, suppliers of analytical and marketing tools, and affiliates of the Controller, including companies in its capital group.
- The Controller reserves the right to disclose selected information concerning the User to the relevant authorities or third parties which submit a request for the separation of such information, on the relevant legal basis and in accordance with the applicable laws.
12. TRANSMISSION OF DATA OUTSIDE THE EEA
- The level of protection of Personal data outside the European Economic Area (EEA) differs from that secured under EU law. For that reason, the Controller shall transfer Personal data outside the EEA only if it is necessary and with assurance of the appropriate level of protection, mostly through:
- cooperation with the entities processing the Personal data in the countries with respect to which the relevant decision of the European Commission was issued concerning the assurance of a relevant level of protection of Personal data;
- the application of standard contractual clauses issued by the European Commission; and
- the application of binding corporate rules approved by the relevant supervisory authority.
- The Controller shall always inform about the intention to transfer Personal data outside the EEA at the stage of data collection.
13. CONTACT DATA
- The Controller may be contacted by email: email@example.com at the address for service:
ul. Stanisława Matyi 8, 61-586 Poznań.
- The Controller has appointed a Data Protection Officer who may be contacted by email: firstname.lastname@example.org in any matter concerning the processing of Personal data.
- This Policy shall be verified on as-necessary basis and updated, if required.
- The existing version of this Policy has been adopted and is in force as of [2022.02.01].