Privacy policy of the perla.pl online service

Definitions

1.1. Controller: Perła – Browary Lubelskie S.A., with its registered office in Lublin, ul.
Bernardyńska 15, 20-950.
1.2. Personal Data – information about a natural person identified or identifiable by one or more factors referring to physical, physiological, genetic, mental, economic, cultural or social identity, including device IP, location data, online identifier and information
collected through cookies, and other similar technology.
1.3. Policy – this Privacy Policy.
1.4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
1.5. Website – the website run by the Controller on the following address: perla.pl.
1.6. User – any natural person visiting the Website or using one or several services or functionalities described in the Policy.

Data processing in connection with the Website

2.1. In connection with using the Website, the Controller collects Users’ data to the extent necessary for providing the individual services offered, as well as information on the User’s activity on the Website. The detailed principles and purposes of the processing of Personal Data collected in connection with using the Website are described below.

Purposes and bases od data processing on the Website

USE OF THE WEBSITE

3.1. Personal Data of all persons using the Website (including their IP addresses or other identifiers and information collected by means of tools used by the Controller) is processed by the Controller:
3.1.1. for the purpose of providing electronic services in the scope of making the content collected on the Website available to Users – the legal basis for such processing is the fact that the processing is indispensable for the performance of contractual provisions (Article 6.1.b of GDPR);
3.1.2. for analytical and statistical purposes – the legal basis for such processing is the Controller’s legitimate interest (Article 6.1.f of GDPR) consisting of conducting 16/16 analyses of Users’ activities, as well as their preferences in order to improve the functionalities used and the services provided;
3.1.3. for the purpose of establishing and investigating claims or defending against them – the legal basis for such processing is the Controller’s legitimate interest (Article 6.1.f of GDPR), consisting of the protection of its rights.
3.2. The User’s activity on the Website, including his/her Personal Data, is recorded in system logs (special software used to store a chronological record containing information about the events and activities that concern the IT system used by the Controller to provide services). The information collected in the logs is processed primarily for purposes related to the provision of services. The Controller shall also process data for technical and administrative purposes, for the purpose of ensuring security and managing the IT system, as well as for analytical and statistical purposes – the legal basis for such processing is the Controller’s legitimate interest (Article 6.1.f of GDPR).

CONTACT FORMS

3.3. Contact with the Controller can be established by means of electronic contact forms.
To use the form, the User is required to provide the Personal Data necessary to contact him/her and to respond to the enquiry. The User may also provide other data in order to facilitate contact or the handling of the enquiry. The provision of data marked as mandatory is required in order to receive and handle the enquiry, and failure to provide such data will render the service impossible. The provision of other data is voluntary.
3.4. Personal Data is processed:
3.4.1. for the purpose of handling the request submitted via the form provided by the Controller – the legal basis for such processing is the Controller’s legitimate interest (Article 6.1.f of GDPR), consisting of responding to the request; in the scope of data provided optionally, the legal basis for such processing is the consent granted by the User (Article 6.1.a of GDPR);
3.4.2. for analytical and statistical purposes – the legal basis for such processing is the Controller’s legitimate interest (Article 6.1.f of GDPR), consisting of compiling statistics of Users’ enquiries made via the Website in order to improve its functionalities;

Geo-location

4.1. The Controller has provided the Google Maps API tool on the Website which enables displaying information on the location of the Controller’s enterprise. Google is the provider of the tool. In connection with its use, the Controller does not collect data about the User’s location.
4.2. The use of the Google Maps API tool provided on the Website is further governed by the current version of the Specific Terms and Conditions of Use of Google Maps and Google Earth, which can be found on https://maps.google.com/help/terms_maps.
4.3. In connection with using this tool, Google processes the User’s personal data in accordance with the principles described in the current version of its Privacy Policy available on https://policies.google.com/privacy. The Controller is not responsible for data processing by Google.

Recruitment and student internship

5.1. As part of recruitment processes, the Controller expects the transfer of Personal Data (e.g., contained in a CV or resume) only to the extent specified in labour law. Therefore, no additional information should be provided. If the application contains any additional data beyond the scope arising from labour law, the processing of such data will be based on the candidate’s consent (Article 6.1.a of GDPR), expressed through the unambiguous affirmative action of the candidate sending the application documents. If the application contains any information that is not relevant to recruitment purposes, it will not be used or taken into account in the recruitment process.
5.2. Personal Data is processed:
5.2.1. if the preferred form of employment is a contract of employment or a student internship agreement – for the purpose of complying with legal obligations related to the employment process, in particular the Labour Code – the legal basis for such processing is the Controller’s legal obligation (Article 6.1.c of GDPR in relation to labour law);
5.2.2. if the preferred form of employment is a civil law contract – for the purpose of conducting the recruitment process – the legal basis for processing the data contained in the application documents is the action taken prior to the conclusion of a contract at the request of the data subject (Article 6.1.b of GDPR);
5.2.3. for the purpose of carrying out the recruitment process, in the scope of data not required by law or by the Controller, as well as for future recruitment processes – the legal basis for such processing is the consent granted by the User (Article 6.1.a of GDPR);
5.2.4. for the purpose of verifying the qualifications and skills of a candidate or applicant and determining the terms and conditions of cooperation – the legal basis for such processing is the Controller’s legitimate interest (Article 6.1.f of GDPR), consisting of verifying the candidates and determining the terms and conditions of cooperation;
5.2.5. for the purpose of establishing or investigating potential claims by the Controller or defending against them – the legal basis for such processing is the Controller’s legitimate interest (Article 6.1.f of GDPR), consisting of the protection of the Controller’s economic interest.
5.3. To the extent that Personal Data is processed on the basis of consent, the consent may be withdrawn at any time, which will not affect the lawfulness of the processing carried out prior to its withdrawal. If the consent is given for the purposes of future recruitment, the Personal Data is deleted after one year – unless it has been withdrawn beforehand.
5.4. The provision of data to the extent stipulated in generally applicable regulations, in particular Article 22(1) of the Labour Code, is required – if the candidate’s preferred form of employment is a contract of employment – by law, in particular the Labour Code, and if the candidate’s preferred form of employment is a civil law contract – by the Controller. Failure to provide such data shall render the processing of the candidate’s application in the recruitment process impossible. The provision of other data is voluntary.

Social networking sites

6.1. The Controller processes Personal Data of Users visiting the Controller’s profiles on social media (Facebook, Instagram, YouTube). This data is processed in connection with running the profile, also for the purpose of informing Users about the Controller’s activities and promoting various events, services and products. The legal basis for the
Controller’s processing of Personal Data for this purpose is its legitimate interest (Article 6.1.f of GDPR), connected with promoting its own brand.

Cookies and similar technologies

7.1. Cookies are small text files installed on the User’s device when browsing the Website. Cookies collect information making it easier to use the Website, e.g., by remembering the User’s visits to the Website and the actions performed.

SERVICE COOKIES

7.2. The Controller uses so-called “service” cookies primarily to render the services provided electronically to the User. Cookies used for this purpose include:
7.2.1. cookies with data entered by the User (session ID) for the duration of the session (user input cookies).

ANALYTICS COOKIES

7.3. The Controller uses analytics cookies to improve the quality of services provided on the Website. In this regard, the Controller and other entities providing analytical and statistical services to the Controller use cookies to store information or access information already stored on the User’s telecommunications terminal equipment (computer, phone, tablet, etc.). Cookies used for this purpose include:
7.3.1. Google Analytics cookies used to analyse the use of the Website and to develop statistics and reports on the functioning of the Website;

SOCIAL PLUG-INS

7.4. The Website uses social networking site plug-ins (Facebook, Instagram, YouTube) which enable the User to share the content published on the Website via the social network of his/her choice. The use of the plug-ins provided on the Website results in the given social networking site receiving information about how the Website is used and may attribute it to the User’s profile created on the given social networking site. The Controller has no knowledge of the purpose and scope of data collection by social networking sites. Detailed information can be found under the following links:
7.4.1. Facebook (Privacy protection principles of Meta);
7.4.2. YouTube (Privacy settings on YouTube – How does YouTube work);
7.4.3. Instagram (Privacy protection principles of Meta);

Analytical and marketing tools used by the Controller an its partners

8.1. The Controller and its Partners use various solutions and tools for analytical and marketing purposes. Basic information about these tools is provided below. For further details, please refer to the privacy policy of individual partners.

GOOGLE ANALYTICS

8.2. Google Analytics cookies are used by Google to analyse the use of the Website by the User, and to develop statistics and reports on the functioning of the Website. Google does not use the collected data to identify the User, nor does it align this information to make such identification possible. Detailed information on the scope and principles of data collection in connection with this service can be found on: https://www.google.com/intl/pl/policies/privacy/partners.

SOCIAL PLUG-INS

8.3. Facebook Pixels is a tool for measuring the effectiveness of advertising campaigns carried out by the Controller on Facebook. The tool allows advanced data analytics to optimise the Controller’s activities also using other tools offered by Facebook. Detailed information on data processing by Facebook can be found here: https://pl-pl.facebook.com/help/443357099140264?helpref=about_content.

Management of cookie settings

9.1. Service cookies, which are necessary for the use of the web page, are automatically installed on the User’s device. Their use is necessary for the provision of the telecommunications service (data transmission for the display of content) – the User does not have the possibility to opt out of these cookies if he/she wishes to use the Website.
9.2. Analytics cookies are not automatically installed by the Controller. The User may grant a permission to the Controller to install analytics cookies by giving his/her consent when entering the Website or by using this link.
9.3. The User can consent to the installation of analytics cookies by clicking on the “Accept” button on the banner that appears when entering the web page. The Controller will then be entitled to install analytics cookies according to the settings of the browser used by the User (in the case of default settings, all cookies are installed).
9.4. The User can consent to the installation of only selected analytical cookies. To this end, it is sufficient to click on the “Manage cookies” button on the banner that appears when entering the web page and select the cookies to the installation of which the User wishes to consent.
9.5. The User can withdraw the consent given at any time. To this end, the User should click this link.
9.6. It is also possible to withdraw the consent to the use of cookies via browser settings. Detailed information can be found under the following links:
9.6.1. Internet Explorer: https://support.microsoft.com/pl-pl/help/17442/windows-internet-explorerdelete-manage-cookies
9.6.2. Mozilla Firefox: http://support.mozilla.org/pl/kb/ciasteczka
9.6.3. Google Chrome: http://support.google.com/chrome/bin/answer.py?hl=pl&answer=95647
9.6.4. Opera: http://help.opera.com/Windows/12.10/pl/cookies.html
9.6.5. Safari: https://support.apple.com/kb/PH5042?locale=en-GB
9.7. If the consent for a given type of cookies has not been given or has been withdrawn (in the case of not accepting the installation of cookies in accordance with the settings of the browser), the Controller will not install such cookies on the User’s terminal equipment.
9.8. The User may at any time verify the status of his/her current privacy settings for the browser he/she is using by means of the tools available at the following links:
9.8.1. http://www.youronlinechoices.com/pl/twojewybory
9.8.2. http://optout.aboutads.info/?c=2&lang=EN

Period of personal data processing

10.1. The period of data processing by the Controller depends on the type of service provided and the purpose of processing. As a general rule, data is processed for the duration of the service provided or the execution of the order, until the consent is withdrawn or until an effective objection is made to the data processing in cases where the legal basis for such processing is the Controller’s legitimate interest.
10.2. The period of data processing may be extended where the processing is necessary for establishing and investigating claims or defending against them, and thereafter only if and to the extent as required by law. After the expiry of the processing period, the data shall be irreversibly deleted or anonymised.

Rights arising in connection with the processing of personal data

RIGHTS OF DATA SUBJECTS

11.1. The following rights are vested in data subjects:
11.1.1. the right to be informed on the processing of personal data – the Controller shall provide the person making the request with information about data processing, including in particular the purposes and legal bases for such processing, the scope of the data retained, the entities to which the data is disclosed, and the planned date of data erasure;
11.1.2. the right to obtain copies of data – the Controller shall provide the person making the request with copies of the processed data;
11.1.3. the right to rectify data – the Controller shall eliminate any inconsistencies or errors in the Personal Data being processed, and to complete it when necessary;
11.1.4. the right to erase data – the data subject may demand the erasure of data whose processing is no longer necessary for the fulfilment of any of the purposes for which it was collected;
11.1.5. the right to restrict processing – if such a request is made, the Controller shall cease to perform operations on Personal Data – with the exception of operations to which the data subject has given his/her consent – and to store such data in accordance with the retention rules adopted or until the reasons for restricting the processing cease to apply (e.g., a decision is issued by a supervisory authority allowing for the further processing of data);
11.1.6. the right to data portability – to the extent that the data is processed by automated means in connection with the concluded agreement or under consent, the Controller shall supply the data provided by the data subject in a computer-readable format. It is also possible to request that the data be sent to another entity, provided that both the Controller and the entity concerned have the technical capacities to do so;
11.1.7. the right to object to data processing for marketing purposes – the data subject may at any time object to the processing of Personal Data for marketing purposes, without having to justify such objection;
11.1.8. the right to object to other data processing purposes – the data subject may at any time object, for reasons connected with his/her unusual circumstances, to the processing of Personal Data which takes place in connection with the Controller’s legitimate interest (e.g., for analytical or statistical purposes, or for reasons connected with property protection); such objection should be made along with providing justification;
11.1.9. the right to withdraw the consent – if the data is processed under the consent, the data subject has the right to withdraw it at any time; however, this shall not affect the lawfulness of the processing carried out before the withdrawal of the consent;
11.1.10. the right to file a complaint – if the processing of Personal Data is considered to be in breach of the provisions of GDPR or other provisions relating to the protection of Personal Data, the data subject may file a complaint with the supervisory body for the processing of Personal Data, having jurisdiction over the data subject’s usual place of residence, place of work or place where the alleged breach has been committed.. In Poland, the supervisory body is the President of the Personal Data Protection Office.

 Reporting a request concerning the exercise of rights

12.1. A request for the exercise of data subjects’ rights can be made:
12.1.1. in writing to the following address; Koordynator Danych Osobowych [Personal Data Coordinator], ul. Bernardyńska 15, 20-950 Lublin.
12.1.2. electronically to the following e-mail address: kodo@biuro.perla.pl
12.2. The request should, as far as possible, indicate precisely what the request concerns, in particular:
12.2.1. which right the requesting person wants to exercise (e.g., the right to obtain a copy of the data, the right to erasure, etc.);
12.2.2. which processing the request refers to (e.g., use of a particular service, activity on a particular website, etc.);
12.2.3. which processing purposes the request refers to (e.g., marketing purposes, analytical purposes, etc.).
12.3. If the Controller is unable to identify the natural person on the basis of the request, it shall request additional information from the person making the request. The provision of such data is not mandatory but failure to provide it shall result in the request rejection.
12.4. The request can be made in person or through a proxy (e.g., a family member). For reasons connected with data security, the Controller encourages the use of a power of attorney in a form certified by a civil-law notary or an authorised legal counsel or attorney, which will all significantly speed up the verification process of the authenticity of the request.
12.5. A response to the request should be provided within one month of receipt. If it is necessary to extend this deadline, the Controller shall inform the requesting persons of the reasons.
12.6. If the request has been addressed to the Company electronically, the response shall be provided in the same form unless the requesting person demanded the response in another form. Otherwise, the response shall be provided in writing. Where the timing of the request makes it impossible to provide the response in writing and the extent of the requesting person’s data processed by the Controller enables electronic contact, the response shall be provided electronically.

Fee collection principles

13.1. The processing of submitted requests is free of charge. Fees may be charged only in the case of:
13.1.1. making a request for issuing the second and each subsequent copy of data (the first copy of data is free of charge); in such cases, the Controller may change PLN 200.00. The aforementioned fee includes administrative costs related to processing the request;
13.1.2. submitting excessive (e.g., very frequent) or clearly groundless requests by the same person; in such cases, the Controller may charge PLN 500.00. The aforementioned fee includes the costs of communication and the costs related to taking the requested action.
13.2. If the decision to impose the fee is contested, the data subject may file a complaint with the supervisory body for the processing of Personal Data, having jurisdiction over the data subject’s usual place of residence, place of work or place where the alleged breach has been committed. In Poland, the supervisory body is the President of the Personal Data Protection Office.

Data recipients

14.1. In connection with the provision of services, Personal Data will be disclosed to external entities, including in particular suppliers responsible for the supply and operation of IT systems.
14.2. The Controller reserves the right to disclose selected information concerning the User to the competent bodies or third parties who make a request for such information by referring to the appropriate legal basis and in accordance with the provisions of the applicable law.

Provision of data outside the EEA

15.1. The level of Personal Data protection outside the European Economic Area (EEA) differs from that envisaged by European law. For this reason, the Controller transfers Personal Data outside the EEA only when necessary and with an adequate level of protection, primarily by:
15.1.1. cooperating with the processors of Personal Data in countries for which a relevant decision of the European Commission has been issued regarding the determination of an adequate level of Personal Data protection;
15.1.2. applying standard contractual clauses issued by the European Commission;
15.1.3. applying binding corporate rules approved by the competent supervisory body.
15.2. The Controller shall always disclose its intent to transfer Personal Data outside the EEA upon its collection.

Contact details

16.1. The Controller can be contacted via e-mail kodo@biuro.perla.pl or the following mailing address: Koordynator Danych Osobowych [Personal Data Coordinator], ul. Bernardyńska 15, 20-950 Lublin.
16.2. The Controller has appointed the Personal Data Coordinator who can be contacted via e-mail kodo@biuro.perla.pl on any matter concerning the processing of Personal Data.

Amendments to the privacy policy

17.1. The policy is updated on an ongoing and as needed basis.
17.2. The current version was adopted on and has been binding since 17.04.2023.