TABLE OF CONTENTS:
- GENERAL PROVISIONS
- BASIS FOR THE PROCESSING OF DATA
- PURPOSE, BASIS AND PERIOD OF DATA PROCESSING ON THE WEBSITE
- DATA RECIPIENTS ON THE WEBSITE
- PROFILING ON THE WEBSITE
- THE RIGHTS OF THE DATA SUBJECT
- COOKIES ON THE WEBSITE AND ANALYTICS
- FINAL PROVISIONS
1) GENERAL PROVISIONS
- The Controller of the personal data collected via the Website shall be the company THE BEST CHEF SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ based in Krakow (office and correspondence address: Aleja Pokoju 26/1, 31-564 Kraków); registered in Register of Entrepreneurs of National Court Registry under the number: 0000739689; Register Court which holds the company’s documentation: District Court for Krakow – Śródmieście in Krakow, IX Commercial Department of National Court Registry; share capital in amount of 5000,00 PLN; Tax ID no. NIP: 6751653415; REGON: 380719739 and e-mail address: firstname.lastname@example.org and telephone contact number +48 604 054 370 – hereinafter referred to as “Controller” and being simultaneously the Seller and Service Provider of the Website.
- Personal data on the Website shall be processed by the Controller in accordance with the binding legal regulations, in particular the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) hereinafter referred to as “GDPR” or “GDPR Regulation”. The official text of the GDPR Regulation: http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELEX%3A32016R0679.
- The Controller assures due diligence to protect the interest of persons being data subjects, in particular being responsible and liable for and assuring that the data collected are: (1) processed in accordance with the law regulations; (2) collected for specific, legal purposes and not subject to further processing inconsistent with the purposes; (3) correct as regards the subject matter and adequate as regards the purpose of the processing; (4) stored in a form making it possible to identify the people they apply to, no longer than it proves necessary to attain the purpose of processing and (5) processed in a manner ensuring security of the personal data, including the protection against illicit or illegal processing or accidental loss, damage or destruction, with the use of appropriate technical and organisational measures.
- Taking into account the nature, scope, context and purpose of processing as well as the risk of breaching the rights or freedoms of natural persons with varied likelihood and degree of threat, the Controller is implementing appropriate technical and organisational measures so that the processing takes place pursuant to the Regulation and it is possible to show it. The measures are reviewed and updated, as necessary. The Controller applies technical measures preventing the acquisition and modification of personal data sent electronically by unauthorised persons.
2) BASIS FOR THE PROCESSING OF DATA
- The Controller is authorised to process the personal data in cases, and to the extent, when at least one of the following conditions is met: (1) the data subject consented to the processing of their data to one or more specified ends; (2) processing is necessary for contract performance the data subject is a party to, or to take actions to the request of the data subject, prior to contract conclusion; (3) processing is necessary to meet the legal obligation of the Controller; or (4) processing is necessary for the needs resulting from the legally justified interests of the Controller or third party, except for situations when the interests or basic rights and freedoms of the data subject override such interests and they require personal data protection, especially when the data subject is a child.
3) PURPOSE, BASIS AND PERIOD OF DATA PROCESSING ON THE WEBSITE
- Each time, the purpose, basis, period as well as the recipients of personal data being processed by the Controller result from actions undertaken by a given Service Receiver on the Website.
- The Controller may process the personal data on the Website for the purposes, on the bases and within the periods as follows:
|Purpose of data processing||Legal basis for data processing||Period of data storage|
|The performance of the Sales Contract, a contract for the provision of an Electronic Service, other contract or taking actions to the request of the data subject, prior to entering into the above mentioned contracts.||Article 6, par. 1, point b) of the GDPR Regulation (contract performance) – the processing is necessary for the performance of the contract concluded with the data subject or taking actions to the request of the data subject, prior to the entering into the contract.||The data shall be stored for the period necessary for the performance, termination or expiry of a contract entered into in a different manner.|
|Direct marketing||Article 6, par. 1, point f) of the GDPR Regulation (legitimate interest of the controller) – the processing is required for achieving the goals based on the legitimate interest of the Controller which includes upholding interests and strengthening reputation of the Controller and their Website as well as striving for providing Electronic Services and Ticket sale.||The data shall be stored for the period of the legitimate interest of the Controller, however no longer than the period of limitation of claims as regards the data subject under the business activity of the Controller. The period of limitation shall be specified by legal provisions, in particular the Civil Code (the basic period of limitation in the case of claims related to business activity is three years, and for a Sales Contract two years). The Controller may not process the data for the needs of direct marketing in the case of expressing clear objection in this field by the data subject.|
|Marketing||Article 6, par. 1, point a) of the GDPR Regulation (consent) – the data subject expressed the consent to process its personal data for marketing purposes by the Controller||The data are stored until the data subject withdraws the consent to further process their data to that end.|
|Keeping tax books||Article 6, par. 1, point c) of the GDPR Regulation in relation with Article 74 part 2 of the Accounting Act consolidated text of 30 January 2018 (Journal of Laws of 2018 item 395) – the processing is required for the Controller due to their statutory obligations||The data shall be stored for the legally required period, requesting the Controller to store tax books (5 years from the beginning of the year following the financial year to which the data relate).|
|Determining, pursuing or defence of claims on the side of the Controller, or ones that may arise as regards the Controller||Article 6, par. 1, point f) of the GDPR Regulation (legitimate interest of the controller) – the processing is required for the purposes resulting from the legitimate interests of the Controller which includes determining, pursuing or defence of claims on the side of the Controller, or ones that may arise as regards the Controller||The data shall be stored for the period of the legitimate interest of the Controller, however no longer than the period of limitation of claims against the Controller (the basic period of limitation in the case of claims against the Controller amounts to six years).|
|Use of the Website and ensuring its proper functioning||Article 6, par. 1, point f) of the GDPR Regulation (legitimate interest of the controller) – the processing is required for the purposes resulting from the legitimate interests of the Controller which includes operating and maintenance of the Website||The data shall be stored for the period of the legitimate interest of the Controller, however no longer than the period of limitation of claims as regards the data subject under the business activity of the Controller. The period of limitation shall be specified by legal provisions, in particular the Civil Code (the basic period of limitation in the case of claims related to business activity amounts to three years).|
|Preparing statistics and analysing the manner of the data subject conduct on the Website||Article 6, par. 1, point f) of the GDPR Regulation (legitimate interest of the controller) – the processing is required for the purposes resulting from the legitimate interests of the Controller which includes preparing statistics and analysing the manner of the data subject conduct on the Website in order to improve the functioning of the Website and its Electronic Services.||The data shall be stored for the period of the legitimate interest of the Controller, however no longer than the period of limitation of claims as regards the data subject under the business activity of the Controller. The period of limitation shall be specified by legal provisions, in particular the Civil Code (the basic period of limitation in the case of claims related to business activity amounts to three years).|
4) DATA RECEPIENTS ON THE WEBSITE
- For the needs of proper Website functioning, inclusive of the proper provision of Electronic Services and the sale of Tickets, it shall be necessary for the Controller to make use of external companies’ services (e.g. software provider, payment processing entity). The Controller uses solely the services of such processing entities which ensure sufficient guarantee to implement appropriate technical and organisational measures so that the processing meets the requirements set out in the GDPR Regulation and protects the rights of data subjects.
- Personal data of the Service Receivers and Customers of the Website may be provided by the Controller to the following recipients or categories of recipients:
a. e-payments or card payment service providers – in the case of a Customer who uses the option of e-payment or card payment on the Website, the Controller makes the collected Customer’s personal data available to the selected payment service provider on the Website for the Controller to the extent necessary to perform the payment of the Customer.
b. service providers rendering for the Controller technical, IT or organisational solutions, making it possible for the Controller to conduct a business, inclusive of the Website and Electronic Services provided via it (in particular computer software providers for the Website, e-mail companies and hosting providers as well as software providers for company management and technical aid for the Controller) – the Controller makes the collected personal data of the Service Receiver available to the selected provider operating to their order only in the case and to the extent necessary for attaining a given purpose of data processing in accordance herewith.
c. accounting, legal and counselling services providers rendering for the Controller accounting, legal or counselling services (in particular an accounting agency, law firm or debt collection company) – the Controller makes the collected personal data of the Service Receiver available to the selected provider operating to their order only in the case and to the extent necessary for attaining a given purpose of data processing in accordance herewith.
d. providers of social plugins, scripts and other similar tools implemented on the Website enabling the browser of the Website visitor of the Website to download data from the providers of said plugins and for this purpose making the collected personal data of the visitor available to those providers, including:
5) PROFILING ON THE WEBSITE
- The Controller may use profiling on the Website for direct marketing purposes, yet the decisions made on its basis by the Controller do not concern the conclusion or rejection to conclude the Sales Contract, or the possibility to make use of Electronic Services on the Website. The result of profiling on the Website may be e.g. discount for a given person, sending a discount code, reminding about unfinished purchase process, sending an Event Ticket offer, which may be related to the interests or preferences of the person, or offering better conditions as compared with the standard offer of the Website. Regardless of profiling, the person makes decisions freely, whether they want to use the discount given, or better conditions and buy a product on the Website.
- Profiling on the Website consists in automatic analysis or forecast of the conduct of a given person on the Website, e.g. by the analysis of the history of activities on the Website. The condition for such profiling is for the Controller to have the personal data of the person, so that they can later send them e.g. a personalised offer or a discount code.
- The data subject shall have the right not to depend on the decision which is only based on automated processing, including profiling, and has some legal effects on the person or similarly affects them.
6) THE RIGHTS OF THE DATA SUBJECT
- The right to access, rectify, restrict, erase or transmit – the data subject shall have the right to demand the Controller to have access to their personal data, rectify, erase (“the right to be forgotten”) or restrict the processing and shall have the right to object to the processing and transmit their data. Detailed conditions of the above rights shall be indicated in Articles 15-21 of the GDPR Regulation.
- The right to withdraw the consent at any time – the person whose data are being processed by the Controller on the basis of the consent given (pursuant to Article 6, par. 1, point a) or Article 9, par. 2, point a) of the GDPR Regulation), they shall have the right to withdraw their consent at any time without any impact on the compatibility with the right to process made based on the consent prior to the withdrawal.
- The right to lodge a complaint with a supervisory body – the person whose data are being processed by the Controller shall have the right to lodge a complaint with a supervisory body in a manner and mode specified in the provisions of the GDPR Regulation and the Polish law, in particular the Personal Data Protection Act. The supervisory body in Poland shall be the President of the Office for Personal Data Protection.
- The right to object – the data subject shall have the right, at any time, to lodge a complaint – for reasons related to their particular situation – as regards the processing of their personal data based on Article 6, par. 1, point e) (public interest or official authority) or f) (legitimate interest of the controller) in the case of profiling based on the provisions. The Controller in such a case must stop processing the personal data, unless they show the existence of legally significant and justified bases for the processing, overriding the interests, rights and freedoms of the data subject, or the bases for determining, pursuing or defending the claims.
- The right to object as regards direct marketing – in the case the personal data are being processed for the needs of direct marketing, the data subject shall have the right, at any time, to lodge a complaint as regards the processing of their personal data for the needs of such marketing, including profiling, to the extent to which the processing is related to direct marketing.
7) COOKIES ON THE WEBSITE AND ANALYTICS
- Cookies are small pieces of text files sent by the server and saved at the visitor’s of the Website (e.g. on the hard disk of a computer, laptop, or smartphone’s memory card – depending on the type of device used by the Website’s visitor). Detailed information on Cookies as well as the history of their origin can be found e.g. at: https://pl.wikipedia.org/wiki/HTTP_cookie.
- Cookies, which can be sent via the Website, can be divided into various types, according to the following criteria:
|With regard to the provider: |
1) own (created by the Controller’s Website) and
2) belonging to other persons/third parties (other than the Controller)
|With regard to the period of their retention on the appliance of the Website’s visitor: |
1) session Cookies (stored till the moment of closing of the Website or a browser) and
2) persistent Cookies (having some expiration period, defined by the parameters of each file or until they are manually removed)
|With regard to the purpose of their usage: |
1) strictly necessary Cookies (enabling proper functioning of the Website),
2) functional/preferential Cookies (enabling adjustment of the Website to the visitor’s preferences),
3) analytical and performance Cookies (collecting information on the use of the Website),
4) marketing, advertising or social Cookies (collecting information on the visitor of the Website in order to display personalised advertisements to such a person and for other marketing activities, including those performed on webpages different from the Website, such as social networks)
3. The Controller may process information contained in Cookies during visiting of the Website for the following particular reasons:
|Purposes of using Cookies on the Website||Saving data from the filled-in forms and polls on the Website (strictly necessary Cookies and/or functional/preferential Cookies)|
|Adjustment of the Website contents to individual preferences of the Service Receiver (e.g. colours, font size, layout) and optimisation of the use of the Website (functional/preferential Cookies)|
|Keeping anonymous statistics presenting the visitor’s behaviours on the Website (analytical and performance Cookies)|
|Remarketing, namely evaluating the conduct of visitors of the Website through anonymous analysis of their activities (e.g. repeated visits on particular pages, key words etc.) to create their profile and provide them with adverts matching their interests, also when they visit other websites in the advertising network of Google Ireland Ltd. and Facebook Ireland Ltd. (marketing, advertising and social Cookies)|
4. Checking in the most popular Internet browsers, which Cookie files (including the expiry period of Cookies and their provider) are being sent in a given moment by the Website can be done, as follows:
|In Chrome browser:|
(1) in the address bar, click the padlock icon on the left, (2) go to the “Cookie files” tab.
|In Firefox browser:|
(1) in the address bar, click the shield icon on the left, (2) go to the “Allowed” or “Blocked” tab, (3) click the “Tracking Cookies between websites”, “Tracing elements of social networks” or “Content with tracing elements” field.
|In Internet Explorer browser:|
(1) Click “Tools” menu, (2) go to the “Internet options” tab, (3) go to the “General” tab, (4) then go to the “Settings” tab, (5) click the “Display files” field.
|In Opera browser:|
(1) in the address bar, click the padlock icon on the left, (2) go to the “Cookie files” tab.
|In Safari browser:|
(1) click the “Preferences” menu, (2) go to the “Privacy” tab, (3) click the “Manage website data” button.
|Regardless of the browser used, using tools available e.g. at: https://www.cookiemetrix.com/ or: https://www.cookie-checker.com/|
5. As a standard, most Internet browsers available on the market accept saving Cookies by default. Every person has the possibility to specify the conditions of using Cookies in the browser settings. It means that one may, e.g. partially restrict (e.g. temporarily) or fully disable saving Cookies – in the latter case it may have an impact on some functionalities of the Website.
7. The Controller may use Google Analytics, Universal Analytics services on the Website, which are provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). These services help the Controller to analyse the frequency of visits on the Website. The data collected are processed in order to generate statistics helpful while administering and analysing traffic on the Website. The data are of collective nature. Using the above services on the Website, the Controller collects such data as the sources and medium of acquiring visitors of the Website and the manner of their conduct on the Website, information concerning their devices and browsers used to visit the website, IP and domain, geographical and demographic data (age, sex) and interests.
8. It is possible to easily block sharing information with Google Analytics as regards the activity on the Website – install to that end an opt-out add-on provided by Google Ireland Ltd. available at: https://tools.google.com/dlpage/gaoptout?hl=pl.
8) FINAL PROVISIONS