1.2. The Controller of the personal data collected via the Website is Greenhomes sp. z o.o. with its registered office in Zabrze, 41-803, ul. Zamkowa 1, entered in the register of entrepreneurs of the National Court Register maintained by the District Court in Gliwice, 10th Commercial Division of the National Court Register, under KRS (National Court Register Number): 0000863658, NIP (Tax Identification Number): 6482800959, REGON (National Official Business Register Number): 387249030, e-mail: email@example.com, contact phone number: +48 796 744 974 – hereinafter referred to as the “Controller”, who is also the Website Service Provider and the Seller.
1.3. Personal data on the Website are processed by the Controller according to the applicable law, including, in particular, according to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – hereinafter referred to as “GDPR” or “GDPR Regulation”. Official text of the GDPR Regulation: http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELEX%3A32016R0679
1.5. The Controller takes great care to protect the interests of the persons whose data they process, including, in particular, being responsible for ensuring that the data they collect are: (1) processed according to the law; (2) collected only for the indicated purposes and not subject to further processing contrary to such purposes; (3) correct and adequate to the purposes of processing; (4) kept in a form preventing the identification of the data subjects for periods longer than necessary to achieve the purposes of processing and (5) processed in a way that ensures the appropriate security of the personal data, including protection against prohibited or unlawful processing and accidental loss, destruction or damaging of data using suitable technical or organisational measures.
1.6. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the Controller implements appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the Regulation. Those measures are reviewed and updated where necessary. The Controller uses technical measures to prevent the personal data sent electronically from being acquired and modified by unauthorised persons.
BASIS FOR DATA PROCESSING
2.1. The Controller is entitled to process personal data if and to the extent to which at least one of the following conditions is met: (1) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; (2) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (3) processing is necessary for compliance with a legal obligation to which the controller is subject; or (4) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Is entitled to store the IP address of the participant. Only one account can be assigned to each participant. There is no right of participation. The registration cannot be transferred.
PURPOSES, BASIS, PERIOD AND SCOPE OF DATA PROCESSING ON THE WEBSITE
3.1. The Controller may process personal data on the Website for the following purposes, on the following basis, in the following periods and to the following extent:
Performance of a Sale Contract or Electronic Services Contract or taking action upon the request of the data subject before entering into the above-mentioned contracts
Allowing the Customer to express their opinion regarding the Sale Contract they have signed
Keeping tax or account books
Establishment, exercise or defence of claims that may be asserted by the Controller or that may be asserted against the Controller
Article 6(1)(b) of the GDPR Regulation (performance of a contract). The data are kept for the period required for the performance, termination or another form of expiry of the contract.
Article 6(1)(f) of the GDPR Regulation (legitimate interest of the Controller). The data are kept for the duration of the existence of a legitimate interest of the Controller, but in any case not longer than until the end of the limitation period for claims regarding the data subject on the account of the business conducted by the Controller. The claim limitation period is defined by the law, including, in particular, the Civil Code (the basic limitation period for claims connected with the conduct of business is three years, and for a sale contract – two years). The Controller cannot process data for direct marketing purposes if the data subject makes a successful objection in this regard.
Article 6(1)(a) of the GDPR Regulation (consent) The data are kept until the data subject withdraws their consent to the further processing of their data for this purpose.
Article 6(1)(a) of the GDPR Regulation The data are kept until the data subject withdraws their consent to the further processing of their data for this purpose.
Article 6(1)(c) of the GDPR Regulation in connection with Article 86(1) of the Tax Ordinance Act, i.e., the Act of 17 January 2017 (Journal of Laws of 2017, item 201) or Article 74(2) of the Accounting Act, i.e., the Act of 30 January 2018 (Journal of Laws of 2018, item 395). The data are kept for the period required by the law obliging the Controller to keep tax books (until the end of the limitation period for the tax liability, unless tax acts stipulate otherwise) or account books (5 years, starting from the beginning of the year following the fiscal year the data concern).
Article 6(1)(f) of the GDPR Regulation The data are kept for the duration of the existence of a legitimate interest of the Controller, but in any case not longer than until the end of the limitation period for claims regarding the data subject on the account of the business conducted by the Controller. The claim limitation period is defined by the law, including, in particular, the Civil Code (the basic limitation period for claims connected with the conduct of business is three years, and for a sale contract – two years).
Maximum scope: first name and last name; e-mail address; contact phone number; delivery address (street, house number, unit number, postal code, town, country), address of residence / business / registered office (if different from the delivery address).
First name and last name, e-mail address, phone number
First name and last name, e-mail address, phone number
First name and last name; address of residence / business / registered office, company name and tax identification number (NIP) of the Service Recipient or Customer
First name and last name; contact phone number; e-mail address; delivery address (street, house number, unit number, postal code, town, country), address of residence / business / registered office
DATA RECIPIENTS ON THE WEBSITE
4.1. To ensure the correct functioning of the Website, including the implementation of Sale Contracts, the Controller has to use the services of external entities (e.g., software provider or payment processor). The Controller only uses the services of processors that provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR Regulation and ensure the protection of the rights of the data subjects.
1. processors of electronic payments or card payments – for Customers who use electronic payments or card payments on the Website, the Controller provides the personal data of the Customer they gather to the selected processor of the above-mentioned payments on the Website engaged by the Controller to the extent necessary for the processing of the Customer’s payment.
2. provider of a review system – for Customers who consented to give their opinion on the Sale Contract they have signed, the Controller provides the personal data of the Customer they gather to the selected provider of the review system used to review the Sale Contracts entered into via the Website engaged by the Controller to the extent necessary for the Customer to give their opinion using the review system.
RIGHTS OF THE DATA SUBJECT
5.1. The right to access, rectification, restriction, erasure or data portability – the data subject will have the right to request from the Controller access to and rectification or erasure (“the right to be forgotten”) of personal data or restriction of processing concerning the data subject or to object to the processing as well as the right to data portability. The specific conditions for the exercise of the above-mentioned rights are given in Articles 15–21 of the GDPR Regulation.
5.2. Right to withdraw the consent at any time – the data subject whose data are processed by the Controller based on their consent (based on Article 6(1)(a) or Article 9(2)(a) of the GDPR Regulation) has the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
5.3. The right to lodge a complaint with the supervisory authority – the data subject whose data are processed by the Controller has the right to lodge a complaint with the supervisory authority according to the GDPR Regulation and Polish law, including, in particular, the Personal Data Protection Act. In Poland, the supervisory authority is the President of the Personal Data Protection Office.
5.4. The right to object – the data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on Article 6(1)(e) (public interest or tasks) or Article 6(1)(f) (legitimate interest of the Controller), including profiling based on those provisions. In such a situation, the Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
5.5. The right to object to direct marketing – where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
COOKIES ON THE WEBSITE, PERFORMANCE DATA AND ANALYTICS
6.1. Cookies are small pieces of text information in the form of text files that are sent by the server and saved on the devices of the visitor of the Website (e.g., on the hard drive of a computer or laptop or on the memory card of a smartphone – depending on the type of device used by the person visiting the Website). Specific information about Cookies as well as their history can be found, for instance, here: https://en.wikipedia.org/wiki/HTTP_cookie.
6.2. The Controller may process the data kept in the Cookies while the visitors use the Website for the following purposes:
saving data from filled-out Booking Forms and surveys of the Website;
adapting the contents of the Website to the individual preferences of the Service Recipient (e.g., concerning the colours, font size and page layout) and improving the use of the Website;
maintaining anonymous statistics illustrating the way the Website is used;
6.5. Specific information about the ways of changing the Cookie settings and removing them manually in the most popular web browsers are available in the help section of the web browser and on the following pages (just follow the link):
in the Chrome browser
in the Firefox browser
in the Internet Explorer browser
in the Opera browser
in the Safari browser
in the Microsoft Edge browser
6.6. The Controller may use the services of Google Analytics, Universal Analytics provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) and the Facebook Pixel service provided by Facebook Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) on the Website. These services help the Controller analyse traffic on the Website. The gathered data are processed in connection with the above-mentioned services in an anonymised fashion (they are the so-called performance data, which do not enable the identification of the data subject) to generate statistics helpful in the administration of the Website. These data are aggregated and anonymous, i.e., they do not include any identifying details (personal data) of the persons visiting the Website. By using the above-mentioned services on the Website, the Controller gathers data such as the sources and the medium used to acquire the visitors to the Website and their behaviour on the Website, information about the devices and browsers they use to visit the website, IP and domain, geographical data and demographic data (age, sex) and interests.
6.7. The data subject can disable the communication of information about their activity on the Website to Google Analytics on the Website – to do so, the data subject can install a browser add-on provided by Google Inc., which can be found here: https://tools.google.com/dlpage/gaoptout?hl=pl