1.1. Controller – Perła – Browary Lubelskie S.A. (joint-stock company) with its registered office in Lublin (20-950), Bernardyńska 15 Street.
1.2. Personal Data – any information about a natural person, identified or identifiable by one or several factors defining his/her physical, physiological, genetic, psychic, economic, cultural or social identity, including the IP of the device, location data, online identifier and information collected through cookie files and other similar technologies.
1.4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.
1.5. Website – online services run by the Controller at the address perla.pl and perla.logintrade.net.
1.6. User – any natural person visiting the Website or using one or more services or functionalities described in the Policy.
2. Data processing in connection with the use of the website
2.1. In connection with the User’s use of the website, the Controller collects data with the scope necessary to provide its respective services and collects information about the User’s activity on the Website. The detailed rules and purposes of processing the personal data collected during the use of the Website by the User are described below.
3. Purposes and legal basis of data processing at the website
USE OF THE WEBSITE
3.1. Personal data of all the persons using the Website (including the IP address or other identifiers and information collected through cookie files and other similar technologies) who are not registered Users (i.e. persons with no profile on the Website) are processed by the Controller:
3.1.1. to provide services electronically to provide Users with an access to the content collected on the Website – in this case, the legal basis for the processing is that processing is necessary for the performance of a contract (Article 6(1)(b) of GDPR);
3.1.2. for analytical and statistical purposes – in this case, the legal basis for the processing is the legitimate interest pursued by the Controller (Article 6(1)(f) GDPR) to analyze the activity of Users and their preferences in order to improve the functionalities used and the services provided;
3.1.3. to determine and pursue possible claims or defend against claims – the legal basis for the processing is the legitimate interest pursued by the Controller (Article 6(1)(f) of GDPR) to protect its rights.
3.2. Activity of a User on the Website, including his/her personal data, is recorded in system logs (a special computer program for storing a chronological record of information about events and actions concerning the IT system used for providing services by the Controller). The information collected in logs is processed mainly for purposes related to the provision of services. The Controller also processes the information for technical, administrative purposes and in order to ensure security of the IT system and to manage the system and also for analytical and statistical purposes – in this respect, the legal basis for the processing is the legitimate interest pursued by the Controller (Article 6(1)(f) of GDPR) consisting in providing and improving the functionalities offered to the Users.
REGISTRATION ON THE WEBSITE
3.3. The persons who register on the Website are asked to provide data needed to set up and maintain an account. To facilitate customer service, the User may provide additional data, thus giving consent to their processing. Such data may be deleted at any time. Provision of data marked as mandatory is required to set up and maintain an account, and a failure to provide them makes it impossible to set up the account. Provision of other data is voluntary.
3.4. Personal data are processed:
3.4.1. to provide services connected with running and maintaining an account on the Website – the legal basis for the processing is that the processing is necessary for the performance of a contract (Article 6(1)(b) of GDPR);
3.4.2. to determine and pursue possible claims or defend against claims – the legal basis for the processing is the legitimate interest pursued by the Controller (Article 6(1)(f) of GDPR) to protect its rights;
3.5. If the User enters any personal data of other people on the Website (including their names, addresses, telephone numbers or e-mail addresses), he/she may only do so provided that this does not breach the applicable laws or the personal rights of these persons.
3.6. Placement of a purchase order by a Website User entails the processing of his/her personal data. Provision of data marked as mandatory is required to accept and handle a purchase order and a failure to provide them results in the order not being performed. Provision of other data is optional.
3.7. Personal data are processed:
3.7.1. to fulfill a submitted purchase order – the legal basis for the processing is that processing is necessary for the performance of a contract (Article 6(1)(b) of GDPR);
3.7.2. for analytical and statistical purposes – the legal basis for the processing is the legitimate interest pursued by the Controller (Article 6(1)(f) of GDPR) to analyze the activity of Users on the Website as well as their shopping preferences to enhance the functionalities used;
3.7.3. to determine and pursue possible claims or defend against claims – the legal basis for the processing is the legitimate interest pursued by the Controller (Article 6(1)(f) of GDPR) to protect its rights.
3.8. The Controller ensures technical solutions for contacting it by using electronic contact forms. Using the form requires that personal data are provided, which is needed to contact the User and answer his/her inquiry. The User may also give other data to facilitate contact or inquiry handling. Provision of data marked as mandatory is required to accept and handle an inquiry, and the failure to provide them makes it impossible to handle it. Provision of other data is voluntary.
3.9. Personal data are processed:
3.9.1. to identify the sender and handle his/her inquiry sent by the provided form – the legal basis for the processing is the necessity of the processing to perform a contract for providing a service (Article 6(1)(b) GDPR); with respect to the provision of optional data – the legal basis for the processing is consent (Article 6(1)(a) of GDPR);
3.9.2. in order to answer the inquiry – the legal basis for the processing of mandatory data is the legitimate interest pursued by the Controller (Article 6(1)(f) of GDPR) to answer received inquiries regarding its conducted business activity;
3.9.3. for analytical and statistical purposes – the legal basis for the processing is the legitimate interest pursued by the Controller (Article 6(1)(f) of GDPR) to perform analyses of the inquiries made by Users through the Website to enhance its functionalities.
3.10. The Controller ensures the possibility to contact him/her via live chat using LiveChat plugin.
3.11. Personal data are processed in order to answer the inquiry – the legal basis of the personal data processing is the Controller’s legitimate interest (Article 6(1)(f) of GDPR) to answer received inquiries regarding its conducted business activity.
4. Social media
4.1. The Controller processes personal data of Users who visit the Controller’s profiles in the social media (Facebook, Instagram). The data are processed only in connection with maintaining the profile, also in order to inform the Users about the Controller’s activity and promote various events, services and products. The legal basis of the personal data processing by the Controller for the above purpose is the Controller’s legitimate interest (Article 6(1)(f) of GDPR) to promote its own brand.
5. Cookies and similar technologies
5.1. Cookies are small text files installed on the device of a User browsing the Website. Cookies collect information to facilitate using a website, e.g. by remembering the User’s visits at the Website and actions performed by him or her.
5.2. The Controller uses the so called “service” cookies primarily to provide the User with services electronically and improve the quality of these services. Accordingly, the Controller and other entities providing analytical and statistical services on its behalf, storing information or gaining access to information already stored in the User’s terminal telecommunications equipment (a computer, telephone, tablet, etc.). Cookie files used for the above purpose include:
5.2.1. user input cookies (session identifiers) stored for the duration of a session;
5.2.2. authentication cookies used for services that require authentication for the duration of a session;
5.2.3. user-centric security cookies, e.g. used to detect abuses concerning authentication;
5.2.4. multimedia player session cookies (e.g. flash player cookies);
5.2.5. persistent user interface customization cookies for the duration of a session or slightly longer.
5.3. The Controller and its trusted partners use also cookies for marketing purposes, e.g. in connection with sending behavioral advertising to Users. For this purpose, the Controller and its trusted partners store information or gain access to information already stored in the User’s terminal telecommunications equipment (a computer, telephone, tablet, etc.).
6. Analytical and marketing tools used by controller’s partners
6.2. Google Analytics cookies are used by Google to analyze how the User uses the Website as well as to compile statistics and reports about the operation of the Website. Google does not use the collected data to identify a User and neither does it combine any information items to make such an identification possible. Detailed information on the scope and rules of collecting data in connection with this service can be found at: https://www.google.com/intl/pl/policies/privacy/partners.
6.3. Google Ads is a tool which enables measuring the effectiveness of advertising campaigns executed by the Controller and allows to analyze such data as e.g. key words or the amount of unique users. Google Ads Platform allows to display our advertisements to the persons who have visited the Website in the past. Information on the data processing by Google in the scope of the above service can be found at: https://policies.google.com/technologies/ads?hl=pl.
6.4. Facebook Pixel is a tool which enables measuring the effectiveness of advertising campaigns executed by the Controller on Facebook portal. The tool enables an advanced data analytics in order to optimize the Controller’s acts together with the use of other tools offered by Facebook. Detailed information on data processing by Facebook can be found at: https://pl-pl.facebook.com/help/443357099140264?helpref=about_content.
7. MANAGEMENT OF COOKIES SETTINGS
7.1. The usage of cookies in order to collect the data, as well as gaining access to the data stored in the User’s device, requires his/her prior consent. The User may withdraw his/her consent at any given time.
7.2. In case of cookies which are necessary to the provision of telecommunication service (data transmission in order to display content) the consent is not required.
7.3.1. Internet Explorer: https://support.microsoft.com/pl-pl/help/17442/windows-internet-explorer-delete-manage-cookies
7.3.2. Mozilla Firefox: http://support.mozilla.org/pl/kb/ciasteczka
7.3.3. Google Chrome: http://support.google.com/chrome/bin/answer.py?hl=pl&answer=95647
7.3.4. Opera: http://help.opera.com/Windows/12.10/pl/cookies.html
7.3.5. Safari: https://support.apple.com/kb/PH5042?locale=en-GB
7.4. At any time, the User may verify the status of his/her current privacy settings for the used browser by using the tools under the links below:
8. Period of personal data processing
8.1. The period of data processing by the Controller depends on the type of provided service and the purpose of the processing. In principle, data are processed for the entire period of providing the service or fulfilling a purchase order until the moment of withdrawing consent or filing an effective objection to the data processing in the cases where the legal basis for the processing is the Controller’s legitimate interest.
8.2. The data processing period may be extended if processing is necessary to determine and pursue possible claims or defend against claims and, after that time, only when and to the extent required by law. After the elapse of the processing period, the data are irreversibly deleted and anonymized.
9. rights RELATed TO THE PROCESSING OF PERSONAL DATA
DATA SUBJECTS’ RIGHTS
9.1. Data subjects have the following rights:
9.1.1. The right to information on the processing of personal data – on this basis, the Controller provides the natural person submitting the request with information on the processing of the data, including primarily the purposes and the legal basis of the processing, the scope of the data held, entities to which the data is disclosed and the planned date of data deletion;
9.1.2. The right to obtain a copy of the data – on this basis, the Controller provides a copy of the processed data concerning the natural person submitting the request;.
9.1.3. The right to rectification – the Controller is obliged to remove any inconsistencies or errors in the processed personal data and amend such data, if incomplete;
9.1.4. The right to erasure – on this basis, one may request the deletion of the data which processing is no longer necessary for any of the purposes for which they were collected;
9.1.5. The right to restrict the processing – if such a request is made, the Controller ceases the performance of operations on the personal data – except for operations consented to by the data subject – and their storage, in accordance with the adopted retention rules or until the reasons of the processing restriction no longer exist (e.g. a supervisory authority decision is issued allowing further data processing);
9.1.6. The right to data portability – on this basis, within the scope of data processed by automated means in connection with concluded contract or given consent – the Controller issues the data provided by the data subject in a format which can be read by a computer. It is also possible to request that the data be sent to another entity, provided however, that there is technical capacity in this regard on the part of both the Controller and the designated entity;
9.1.7. The right to object to the data processing for marketing purposes – the data subject may at any time object to the processing of personal data for marketing purposes, without the need to justify such objection;
9.1.8. The right to object to other purposes of data processing – the data subject may at any time object, on grounds relating to his or her particular situation, to the processing of personal data which is carried out on the basis of the legitimate interest of the Controller (e.g. for analytical or statistical purposes or for reasons relating to the protection of property); the objection in this respect should include a justification;
9.1.9. The right to withdraw consent – if data is processed based on a given consent, the data subject has the right to withdraw it at any time, nonetheless this does not affect the lawfulness of the processing carried out prior to the withdrawal of the consent;
9.1.10. The right to complain – if the processing of personal data is considered to violate the provisions of the GDPR or other regulations regarding the protection of personal data, the data subject may lodge a complaint with the authority supervising the processing of personal data, competent in respect of the data subject’s habitual residence, place of work or place of perpetration of the alleged violation. In Poland the supervisory authority is the President of the Personal Data Protection Office.
10. MAKING requests RELATED TO THE EXERCISE OF RIGHTS
10.1. A request regarding the exercise of the rights of data subjects may be submitted:
10.1.1. in writing to the Controller’s address;
10.1.2. by e-mail to the following address: email@example.com
10.2. The request should, as far as possible, indicate precisely what is requested, i.e. in particular:
10.2.1. what right the applicant wishes to exercise (e.g. right to obtain a copy of the data, right to erasure data, etc.);
10.2.2. what process is concerned by the request (e.g. use of a specific service, activity on a specific website, receiving a newsletter containing commercial information to a specific e-mail address, etc.);
10.2.3. what are the purposes of the processing involved in the request (e.g. marketing purposes, analytical purposes, etc.).
10.3. If the Controller is unable to identify the person submitting a request based on the request submitted, the Controller will ask this person for additional information. The provision of such data is not obligatory, but failure to provide such data will result in a refusal to fulfill the request.
10.4. The request may be submitted in person or by a proxy (eg. a family member). For the data security reasons, the Controller encourages the use of a power of attorney certified by a notary public or an authorized legal counsel or attorney, which will significantly speed up the verification of the authenticity of the request.
10.5. A reply to the request shall be given within one month of its receipt. If it is necessary to extend this deadline, the Controller shall inform the person making the request of the reasons for such extension.
10.6. In case a request has been submitted to the Company electronically, the reply shall be provided within the same form, unless the applicant has requested a reply in another form. In other cases, answers shall be given in writing. If the deadline for the execution of the request renders it impossible to provide an answer in writing and the scope of the applicant’s data processed by the Controller enables contact by electronic means, the answer shall be provided by electronic means.
11. CHARGING PRINCIPLES
11.1. Proceedings regarding submitted requests are free of charge. Charges may only be collected if:
11.1.1. a request is made for the second and each subsequent copy of the data (the first copy of the data is free of charge); in this case, the Controller may demand a fee of 200 PLN. The above fee includes administrative costs related to the execution of the request;
11.1.2. the same person submits requests that are excessive (eg. extremely frequent) or clearly unjustified; in this case, the Controller may demand a fee of 500 PLN. The above fee includes the costs of conducting communication and the costs related to taking the requested actions;
11.2. If the decision to impose a charge is disputed, the data subject may file a complaint with the data-processing supervisory authority competent in respect of his or her habitual residence, place of work or place of perpetration of the alleged violation. In Poland the supervisory authority is the President of the Personal Data Protection Office.
12. Data recipients
12.1. In connection with provision of services, personal data will be disclosed to external entities, including in particular vendors responsible for the supply and maintenance of IT systems and entities related to the Controller, including companies comprising its capital group.
12.2. The Controller reserves the right to disclose selected information items referring to the User to relevant authorities or third parties which will demand that they are provided such information pursuant to an appropriate legal basis and in compliance with prevailing laws.
13. Transfer of data outside the EEA
13.1. The level of personal data protection outside the European Economic Area (EEA) differs from that guaranteed by the European law. For this reason, the Controller transmits personal data to places outside the EEA only when necessary and ensuring an adequate protection level, mainly by:
13.1.1. cooperating with personal data processors in the states with respect to which a relevant decision of the European Commission has been issued determining an adequate level of protection for personal data;
13.1.2. application of standard contractual clauses issued by the European Commission;
13.1.3. application of binding corporate principles approved by the relevant supervisory authority;
13.1.4. if data is transferred to the USA – cooperation with entities participating in the Privacy Shield program, approved by a decision of the European Commission.
13.2. At the data collection stage, the Controller informs the User of the intention to transfer personal data outside the EEA.
14. Personal data security
14.1. The Controller conducts an ongoing risk analysis to ensure that personal data are processed in a secure manner, guaranteeing first of all that access to the data is provided only to authorized persons and only to the extent necessary for them to perform their tasks. The Controller makes sure that any operations on personal data are recorded and performed only by authorized employees or collaborators.
14.2. The Controller takes any necessary actions so that also its subcontractors and other cooperating entities guaranteed the application of appropriate security measures in each case when they process personal data on the Controller’s behalf.
15. Contact data
15.1. The Controller may be contacted by e-mail firstname.lastname@example.org or in writing at its address: Bernardyńska 15 Street, 20-950 Lublin.
15.2. The Controller has appointed a Data Protection Officer that may be contacted by e-mail email@example.com in any matter concerning personal data processing.
16.2. The User who does not accept the Website’s terms of service after the new version of the Policy enters into force, may cease using the Website and its services.
16.3. The present version of the Policy was approved and has been in force since 29.11.2019.