Ladies and Gentlemen,
On 25 May 2018, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the “Regulation” or “GDPR”) and the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2018, item 1000) adopted on its basis entered into force. Both regulations create an amended system of personal data protection, which replaces the Act of 29 August 1997 on the Protection of Personal Data, previously in force in Poland.
The new legislation introduces unified rules for the protection of personal data in all European Union countries, regardless of whether the data are processed in paper or digital (electronic) form.
Personal data – this is any information relating to a natural person or allowing to uniquely identify that person (to determine his/her name). These can be text data, but also biometric data (e.g. fingerprints), facial images of the person (e.g. photos, videos) and others. In any case, in which we can determine the identity of a natural person on the basis of the data, we are dealing with personal data and, at the same time, a related person to whom the data refers.
The new legislation lays strong emphasis on the transparency of the rules for data processing, inter alia by ensuring that the data controller complies with information obligations towards the data subject.
In order to ensure transparency of the processing of your personal data, as well as to ensure compliance with the provisions of the Regulation, we inform you that REDD GROUP SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ , with its registered office in Warsaw, hereinafter referred to as “REDD” or the “Company”, processes your personal data as the Controller.
This document is intended to provide you with all the necessary information required by the Regulation (GDPR) concerning the processing of your personal data.
Should you have any additional questions, feel free to contact us
– REDD Team
INFORMATION ON THE PROCESSING OF PERSONAL DATA INFORMATION OBLIGATIONS OF THE CONTROLLER
Who is the Controller of my personal data?
The Controller of your personal data, i.e. the entity that decides about the purposes and methods of their processing, is REDD GROUP SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ (limited liability company), with its registered office in Warsaw at Prosta Street 20, registered in the District Court for the Capital City of Warsaw in Warsaw, XIII Commercial Division of the National Court Register under KRS number 0000885903, having share capital of PLN 5,000, REGON: 388281082, NIP: 5272950847
How can I contact you with regard to personal data?
If you wish to contact us in regard to the processing of personal data, you can do so:
- a) by e-mail at email@example.com or
- b) in written form, by traditional mail at the address: Prosta 20, 00-850 Warsaw
annotation: personal data
In what kind of situations do you process my personal data?
We process your personal data any time when:
- you use our services or sign up for our newsletter,
- you use our services by adding your agents and collaborators to our Portal
- you use our services as a Subscriber,
- you take part in trainings, competitions and promotional campaigns organised by us,
- sometimes we ask our clients to take part in market research. Any personal data used for research purposes will be used only upon your consent,
- we may use the collected data for testing, research, analysis and product development. This allows us to improve and strengthen the safety and security of our services, develop new features and products, as well as provide insurance and financial solutions related to our services,
- During phone conversations with REDD personnel, we can listen to or record these calls for quality control or training purposes. Recordings are saved for a limited period of time and then automatically deleted unless REDD has a legitimate reason to keep them for a longer period of time (if necessary), including investigations into fraud cases,
- in specific cases there may be a need to use your data in order to resolve legal disputes, in the case of official proceedings, in matters relating to compliance with laws,
- for this purpose, we may process certain personal data such as your name, surname, date of birth, data concerning the use of our services, if the claims arise from the way you use our services, as well as other data necessary in order to prove the existence of the claim, including the extent of the damage suffered.
- we also process your personal data when we send you marketing information about us or our business partners (provided that you have given your prior consent).
Do I have to provide you with my personal data?
The provision of personal data is voluntary, but some of your data may be necessary in order to use the Portal and properly provide our services.
In addition, some of your data are necessary for us to comply with the legal requirements referred to below.
What kind of data do you process?
We process only those data that are necessary to fulfil the purpose for which they were collected. Depending on the type of service provided, the scope of data may differ:
- 1) If you use our services, we process both your and your employees’ personal data such as first name, last name and contact details.
- 2) If you take part in events organized by us (e.g. trainings), we process your data, including your first name, last name, telephone number, e-mail address.
- 3) If you take part in competitions organised by us, we process, inter alia, your first name and last name, telephone number, email address and, in some cases, bank account number if you have won a cash prize.
- 4) If you use our Portal or website, we process data related to your location, IP address, browser used, your actions (for example, which pages you visit) including data collected through cookies and similar technologies. Your personal data are used for advertising and statistical purposes as well as to adjust the service to the individual needs of users. The use of these data also enables us to provide you with maximum convenience by saving your preferences and settings on our pages.
- 5) If we issue a sales document to you, we process such data as: your first name and last name, address (registered office), PESEL number or NIP number.
- 6) If we contact you by electronic means or using telecommunications terminal equipment and automatic calling systems (after you have given your consent to such communication), then (depending on the form of communication) we process such data as: your first name and last name, telephone number, e-mail address.
What is the purpose of processing my personal data?
We process your personal data for the purpose of taking action at your request (e.g. response to an enquiry or request), for the purpose necessary to conclude and perform a contract or provide a service, including the handling of any complaints or claims arising from contracts.
The processing of some of your personal data is also necessary for us to fulfil our legal obligations, such as the obligation to store certain data for a certain period of time, the collection of certain information to verify and identify you, or the transfer of data to authorised bodies or entities, such as those arising from:
- 1) the Act of 29 September 1994 on Accounting,
- 2) the Act of 11 March 2004 on Value Added Tax,
- 3) the Act of 16 November 2000 on Counteracting Money Laundering and Terrorism Financing,
We also process your data for other legally justified purposes, inter alia for the purpose of:
- 1) monitoring activity on our websites (e.g. through cookies and the tools used by us),
- 2) direct marketing of our products or services – it allows us to inform you about our offer (subject to your prior consent),
- 3) monitoring and logging your access to resources provided by us, as well as for administrative purposes, preventing, detecting, and pursuing claims for possible security breaches.
If we choose to process your data for a purpose other than that for which we collected them, we will inform you of this and request your consent, if required by law.
On what legal basis do you process my personal data?
We process personal data in accordance with the applicable law, in particular in accordance with the provisions of the Regulation (GDPR) on personal data.
The legal basis for processing your personal data is:
- your consent, or
- processing of your application or request, or
- conclusion and fulfilment of the contract, or
- pursuing of the legitimate interests of the Controller, or
- our compliance with the obligations arising from applicable laws.
For how long will you process my personal data?
For specific cases, the duration of data processing is as follows:
- 1) If we process your data on the basis of a contract, the processing will continue until the contract is in force and for the period of limitation of possible claims,
- 2) if you have given your consent to processing for a specific purpose, we shall process your personal data until you withdraw your consent, and then we shall delete your data immediately,
- 3) the data we process in the exercise of our legitimate interest will be processed as long as that interest exists.
- 4) We will process the data processed for the purpose of compliance with the obligations arising from applicable laws for as long as this is required by those laws.
Who are the recipients of the data?
The recipients of the data are persons authorised by the Controller to use the data in the execution of their professional duties, who are commissioned by the Company to perform such activities.
In certain situations, we have the right to transfer your personal data if it is necessary for us to perform our services, fulfil our obligations and adequately comply with applicable laws.
We use the help of external entities to perform some of our responsibilities (e.g. destruction of documents, data storage, accounting and HR and payroll services, legal services, marketing services, IT services). In justified cases, we will also provide such data to the relevant authorities.
In such case, we entrust personal data to subcontractors in order to fulfil a specific purpose on our behalf (under the Data Processing Agreement), while still remaining the Controller of your data and being responsible for its security.
We will transfer data solely to these three groups:
- 1) persons authorized by us, our employees, collaborators and members of the Company organs, who must have access to data in order to properly perform their duties,
- 2) processing entities commissioned by us to perform this activity for a specific purpose (e.g. accounting office, law firm, IT company),
- 3) other recipients of personal data (e.g. law enforcement authorities, banks).
Do you share my personal data with third parties?
We do not share your personal data with any third party except for the following situations:
- 1) you have given your voluntary consent to such sharing. Your prior consent can be withdrawn by you at any time, in the same straightforward manner as it was given.
- 2) udostępnienie jest konieczne w celu realizacji umowy lub świadczenia usługi.
- 3) In certain cases, your personal data may be disclosed to authorized entities pursuant to generally applicable laws (e.g. law enforcement agencies, auditor for the purpose of auditing the Company’s financial statements).
Each application for access is carefully assessed by us and the transfer of personal data occurs only if, as a result of this assessment, we consider that there is a valid and effective legal basis to require disclosure of your data to these parties.
We do not transfer your personal data to third countries (outside the EEA) or to international organizations.
Do you transfer personal data outside the European Union?
Our partners are based mainly in Poland and other countries of the European Economic Area (EEA). Some of our vendors are based outside the EEA. We have ensured that our suppliers guarantee a high level of personal data protection in connection with the transfer of your data outside the EEA. These guarantees result in particular from the obligation to apply the standard contractual clauses adopted by the Commission (EU) or to participate in the “Privacy Shield” programme established by Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield.
- saving user preferences and settings;
- assessing content popularity;
- implementation of advertising campaigns and measuring their effectiveness;
- analysing website traffic and trends, and a general understanding of internet behaviour and the preferences of people using our services.
How do you protect my personal data?
The Controller shall make every effort to ensure that the physical, technical and organisational measures are taken to protect personal data against accidental or intentional destruction, accidental loss, alteration, unauthorized disclosure, use or access, in accordance with all applicable laws.
What are my rights and how can I exercise them?
You have the following rights in regard to the processing of your personal data:
- 1) the right to obtain information on the processing of your personal data, i. e. ” information obligation”. (in accordance with Articles 12 and 13 of GDPR),
- 2) the right of access to the content of your personal data (according to Article 15 of GDPR),
- 3) the right to request the rectification of your personal data (in accordance with Article 16 of GDPR), i.e. to correct inaccurate data and to complete incomplete data,
- 4) the right to request a restriction of processing of your personal data (in accordance with Article 18 of GDPR),
- 5) the right to request the transmission of your personal data to another Controller (in accordance with Article 20 of GDPR),
- 6) the right to object to the processing of your data based on your specific situation (in accordance with Article 21(1) of GDPR), however, this right is not absolute- i.e. despite your objection, we may still process your personal data if we can prove that there are valid, legitimate reasons for processing, prevailing over your rights and freedoms or bases for establishing, asserting or defending claims,
- 7) the right to object to the processing of your personal data for the purposes of direct marketing, to the extent that the processing is related to such direct marketing. This objection does not require any justification or conditions of effectiveness – in this case we will no longer be able to process your personal data for direct marketing purposes.
Withdrawal of consent does not affect the legality of processing carried out on the basis of consent given prior to its withdrawal.
- 8) the right to request the erasure of your personal data (according to Article 17 of GDPR) – i.e. the “right to be forgotten”, which you can exercise for example when:
- a) REDD is processing your personal data unlawfully,
- b) you object to the processing of your personal data for marketing purposes,
- c) the data must be deleted in order for REDD to fulfil its legal obligation;
You may exercise the above rights by submitting an appropriate declaration to us (the Data Controller):
- a) by e-mail at firstname.lastname@example.org or
- b) in written form, by traditional mail at the address:
Prosta 20, 00-850 Warsaw
annotation: personal data
- 9) you also have the right to lodge a complaint with a supervisory authority, i.e. the President of the Personal Data Protection Office (formerly the Inspector General for Personal Data Protection – GIODO).
Third party content
We would like to draw your attention to the fact that from time to time we insert links on the website leading to other websites that are not administered by us. We cannot be held responsible for the content of these sites or the level of privacy protection provided by the administrators of these sites. We recommend you to read the privacy policies of these websites before you provide them with your personal data.