- Controller – Provider Sp. z o. o, ul. Grabiszyńska 163, 53-439 Wrocław
- Personal Data – means the information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name and surname, an identification number, location data, an online identifier or by one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- Policy – this document
- GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
- Webpage – the webpage maintained by the Controller at www.provider-group.com
- User – the natural person visiting the webpage www.provider-group.com
In connection with the use of the webpage by the User, the Controller collects personal data to the extent necessary to provide individual offered services, as well as information about the User’s activity. Personal data of all the persons using the webpage (including the IP address or other identifiers and information collected via cookies or other similar technology) are processed by the Controller:
- in order to electronically provide the services of making the webpage content available to Users and sharing contact forms – the legal basis for such processing is the necessity of processing to perform the contract (Article 6(1)(b) GDPR);
- for analytical and statistical purposes – the legal basis for such processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR) in analyzing Users’ activity and preferences in order to improve the functionalities used and the services provided;
- in order to establish and pursue or defend claims, if any – the legal basis for such processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR) in protecting its rights;
- for the Controller’s marketing purposes.
The User’s activity on the webpage, including their personal data, is recorded in system logs (a special computer program for storing chronological records containing information on events and activities related to the IT system intended for the provision of services by the Controller). The information gathered in the logs is processed in connection with the provision of services. The Controller also processes such information for technical purposes, in particular, the data may be temporarily stored and processed to ensure security and proper operation of IT systems, e.g. backups, testing of IT system changes, irregularity detection or protection against abuse and attacks.
The Controller provides contact options using electronic contact forms. When using the form personal data necessary to contact the User and to respond to the inquiry must be provided. The User may also provide other data to facilitate contact or process the inquiry. Data marked as mandatory is required in order for the inquiry to be accepted and processed, and failure to provide it will result in inability to provide services. Provision of other data is voluntary. Personal data provided via the contact form is processed:
- in order to identify the sender and process their inquiry sent via the form – the legal basis for such processing is the necessity of processing to perform the contract for services (Article 6(1)(b) GDPR);
- for analytical and statistical purposes – the legal basis for such processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR) in keeping statistics of User inquiries made via the Site in order to improve its functionalities.
The Controller processes Users’ personal data in order to carry out marketing activities (the basis for such data processing is pursuit of the Controller’s legitimate interest (Article 6(1)(f) GDPR)), and may include:
- displaying marketing content to the User (contextual advertising);
- email notifications about interesting offers or content, which in some cases contain commercial information;
- other types of activities related to direct marketing of goods and services (commercial information distributed electronically and telemarketing activities).
In order to carry out marketing activities, in some cases the Controller uses profiling. This means that through automatic data processing, the Controller assesses selected factors related to natural persons in order to analyze their behaviors or to design future forecasts. The consent to marketing activities may be withdrawn at any time. If the User consents to receiving marketing information via email, text or other electronic means of communication, the User’s personal data will be processed for the purpose of sending such information. The basis for data processing is the legitimate interest in sending marketing information within the limits of the consent granted by the User (direct marketing). The User has the right to object to data processing for purposes of direct marketing, including profiling. The data will be stored for that purpose for the duration of the legitimate interest of 2 years, unless the User objects to receiving marketing information.
- cookies with data entered by the User (session ID) for the duration of the session,
- authentication cookies used for services that require authentication for the duration of the session,
- cookies used to ensure security, e.g. used to detect abuse in authentication,
- cookies used to monitor traffic on the webpage, i.e. data analytics, to create statistics and reports on Site operation.
The duration of data processing by the Controller depends on the type of service provided and the purpose of processing. As a rule, the data is processed for the duration of the service, until the consent is withdrawn or an effective objection to data processing is raised in those instances where the legal basis for data processing is the Controller’s legitimate interest. The duration of data processing may be extended if the processing is necessary to establish and pursue or defend any claims, and afterwards, only if and to the extent required by law. After the lapse of the processing period, the data is irreversibly erased or anonymized.
The User has the following rights:
- The right to information about personal data processing – in the event of such a request, the Controller provides information about personal data processing, including in particular about the purposes and legal grounds for processing, the scope of data held, the entities to whom personal data is disclosed and the planned date for data erasure;
- The right to obtain a copy of the data – in the event of such a request, the Controller provides a copy of the processed data of the person making the request;
- The right to rectification – in the event of such a request, the Controller removes any inconsistencies or errors regarding the personal data being processed, and supplements or updates it, if incomplete or changed;
- The right to data erasure
- The right to restriction of processing – in the event of such a request, the Controller ceases to perform operations on personal data, with the exception of operations consented to by the data subject and data storage in accordance with the adopted retention policies;
- The right to data portability – in the event of such a request, the Controller releases the data provided by the data subject in a computer readable format. The data may also be requested to be forwarded to another entity, provided, however, that there are technical capabilities to do so at the Controller and at the other entity;
- The right to object to data processing for marketing purposes – the data subject may at any time object to the processing of personal data for marketing purposes, without the need to justify the objection;
- The right to object to other purposes of data processing – the data subject may at any time object to the processing of personal data on the basis of the Controller’s legitimate interest (e.g. for analytical or statistical purposes or for reasons related to property protection). An objection in this regard should state the reasons and will be reviewed by the Controller;
- The right to withdraw the consent – if the data is processed on the basis of consent, the data subject has the right to withdraw it at any time, which, however, will not affect the lawfulness of the processing carried out prior to such withdrawal;
- The right to lodge a complaint – if it is found that personal data processing violates provisions of the GDPR or other provisions on personal data protection the data subject may lodge a complaint with the President of the Office for Personal Data Protection.
A request regarding the exercise of data subjects’ rights may be submitted by email at email: [email protected]. The request will be addressed within one month of its receipt. In connection with the provision of services, personal data will be disclosed to third parties, including in particular suppliers responsible for the operation of IT systems, entities such as banks and payment operators, entities providing accounting, legal, audit and consulting services. The Controller conducts an ongoing risk analysis to ensure that personal data is processed safely in a manner ensuring, above all, that only authorized persons have access to the data and only to the extent necessary for the tasks they perform. The Controller makes sure that all operations on personal data are recorded and performed only by authorized employees and associates. The Controller takes all necessary steps to ensure that its subcontractors and other associated entities guarantee the application of appropriate safeguards whenever they process personal data on behalf of the Controller.
The Controller may be contacted via the email address email: [email protected]