On 25 May 2018, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, the so-called GDPR) enters into force. Please see important information: GDPR Disclaimer.
I. Preliminary provisions
- This document (Policy) constitutes an attachment to the Regulations of the MSERWIS Websites (Regulations).
- If any term defined in the Regulations is used in this Policy, it shall have the meaning assigned in the Regulations (Operator / Administrator, Website, User, Domain, Hosting, SSL certificate etc.), unless otherwise specified in this document.
- Otherwise, the definitions adopted in this Policy shall apply.
- GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, the so-called “GDPR”);
- Personal Data (or “personal data”) – means information about an identified or identifiable natural person (“data subject”); an identifiable natural person, in particular Websites User / Customer, is one who can be identified, directly or indirectly, in particular by an identifier such as his or her full name, identification number, location data, Internet identifier or one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity;
- Personal Information - all information, data, “traces” that may be left by the Website User, even if unintentionally, while using the Websites, even if such data do not constitute Personal Data within the meaning of the above definition.
- Processing (processing) means any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, download, viewing, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- Profiling (profiling) means any form of automated processing of personal data which involves the use of personal data to evaluate certain personal factors of an individual, in particular to analyse or forecast aspects relating to that individual's work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or mobility;
- Controller, Personal Data Controller, DC, PDC ("controller") means a natural or legal person, public authority, individual or any other entity which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are provided for by Union or Member State law, a controller may also be designated or specific criteria for its designation may be laid down by Union or Member State law; the Controller shall be the Operator;
- Processor (“processor”) means a natural or legal person, public authority, individual or any other entity which processes personal data on behalf of the controller;
- Recipient (“recipient”) mean a natural or legal person, public authority, individual or any other entity to whom personal data are disclosed, whether a third party. However, public authorities that may receive personal data in the framework of a specific proceeding under Union or Member State law shall not be regarded as recipients; the processing of such data by those public authorities must comply with the data protection rules applicable to the purposes of the processing;
- Third Party (“third party”) means a natural or legal person, public authority, individual or entity other than the data subject, controller, processor or persons who, under the authority of the controller or processor, may process personal data;
- Consent (“consent”) of the data subject means a voluntary, specific, informed and unambiguous willingness, by which the data subject, in the form of a declaration or specific affirmative action, consents to the processing of his or her personal data;
- Personal Data Breach (“personal data breach”) means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed;
- Supervisory Authority (“supervisory authority”) – the President of the Office for the Protection of Personal Data (PUODO);
- Third Country - a country not belonging to the European Union (EU) or the European Economic Area (EEA).
III. Personal information
- Viewing the Websites and shopping. You can view the content of the Websites without a User/Customer account and even make purchases to a certain extent – with significant restrictions, resulting e.g. from the need to ensure the security of transactions. You can also contact the Controller through the User Support Centre without registering your account.
- Websites’ account / User (Customer) Registration. Most of the Websites’ functionalities, especially with regard to the possibility of purchasing most of the Services, are available only to registered and logged in Users (Customers). Such Users also have additional options available for managing their purchases (of goods/digital products).
- Information on use. While using a Website, the Controller may record information on (in particular):
- Registration IP
- Registration confirmation IP
- Login IP
- Entries to individual Websites’ pages / subpages IP
- Data on the elements “Clicked” by the User on the website
- Location information
- Information on returns to the website – even if the User is not logged in
- Information about shopping preferences, e.g. based on the products viewed, purchases made so far, as well as the things added to the shopping cart, even if a final purchase was not made
- Newsletter subscription data
- Ensure adequate rights. The above takes place with the observance of the rights of the Users, guaranteed, among others, by the GDPR. For details, see the separate document “Information related to the GDPR” (GDPR Information Clause).
- Checking the reading of the information. To ensure the appropriate quality of service, the Controller may place a tag (also known as a web beacon file) in HTML email messages of Customer Service or other sent messages to confirm their delivery. Other adequate/equivalent ways of checking the information by the User or Customer are also possible.
- In the case of sending Personal Information to the Website, it may be used to maintain, share and improve the Website and to process orders and analyse the User's interests in the products offered on the Website.
- The Controller does not use Personal Information of Users to send commercial or advertising messages without their consent. The Controller may use the email address for purposes other than advertising or administrative (such as notification of the status of the User's orders, availability of the Services, etc.). This applies in particular to communication in connection with the fulfilment of the order.
- The Controller may also implement marketing objectives on a basis other than the Consent – in particular on the basis of Article 6(1)(f) GDPR. These issues can be found in more detail, inter alia, in the Information related to the GDPR (GDPR Information Clause) document.
IV. Personal data
- The Operator processes users' personal information in accordance with the law (in particular Article 6 of GDPR). In order to protect personal data against accidental or unlawful destruction, loss, alteration, or against unauthorized disclosure and access, the Operator adopts technical and organizational security measures (described among others in the internal documentation, mentioned in recital (78) of GDPR, including, in particular, in the Personal Data Protection Policy implemented by the Administrator).
- When you submit your personal information, the Operator normally uses it to prepare an offer (in particular regarding Services), fulfil orders (in particular regarding Services) and maintain contact with people interested in the Operator's offer as well as with the Operator's customers. We can store and process personal data in order to better understand the needs of those (Users) interested in the offer and our customers, as well as to be able to improve our products and services.
- The Operator's sites operate not to collect personal information, except for the cases when the visitors (Users) themselves agree on it (e.g., when completing the registration form, or signing up for the newsletter), or when it is permitted by the personal data collection regulations.
- The Operator shall respond to all justified requests to access the personal information and correct or delete any inaccuracies in such information. Any registered user of the website can access and update their personal information after they have authenticated themselves to the website.
- The Operator does not sell or otherwise does not share the customers' personal information with third parties, with the following exceptions, and only if necessary:
- in order to prepare the offer, for services execution and delivery,
- in order to achieve an additional goal which is directly related to the purpose for which the personal information was originally submitted,
- for legal reasons, or when required by the competent governmental or judicial authorities,
- to prevent fraud or other illegal activities.
- Detailed information on the rules applicable to personal data sharing related to the services that we provide is available in the Terms and Conditions as well as in the GDPR Disclaimer.
- When you browse our websites, the Operator may automatically collect non-personal information sent by your browser (e.g., the type of Internet browser used to access our website and the operating system, the address of a referring website, number of visitors, average time spent on the site, the sequence of pages viewed). The Operator can use this data and share it with third parties in order to generate statistical data that does not allow the identification of the person who supplied particular information, so to improve the performance and contents of our sites.
- The Controller may use Google Analytics or other similar systems from external providers (Third Parties), including entities having seat in Third Countries on the Website.
- In particular, Google Analytics mainly uses its own cookies to report on user interactions on Google Analytics’ customer sites (our Services – Website).
- Google (Third Party) cookies regarding advertisements are used to support Google Analytics Advertising Features (such as remarketing) in Google advertising network services, such as AdWords. More about this technology, about the additional cookies it uses and about how to disable this technology can be found on the data security pages published by the manufacturer of this technology at the address: https://support.google.com/analytics/answer/6004245.
VI. Links to other websites
The Operator's sites may feature links to other websites operated by external parties. You should familiarize yourself with the relevant policies of those sites.
VII. Unsolicited messages
- The Operator reserves the right to send unsolicited, unannounced messages to people whose contact details have been collected and who have expressed their consent.
- The term 'unsolicited messages' applies to messages containing information directly related to services provided by the Operator and services provided by the Operator's partners. Messages may contain information about services used by the client (such as payment details, subscription end dates, use of services), as well as marketing information about other services (such as promotions, special offers, new services on offer).
- The Operator normally sends messages once a month on average. In exceptional cases (e.g., notification of major changes to the service) messages may be sent more often. Each recipient of the said messages may at any time revoke a previously given consent to receiving them.
- Cookies are used to:
- customize the web content of the Operator's Sites to the preferences of the user and optimize the use of the Operator's Sites, for example in order to identify the user's device and to display pages tailored to their individual needs;
- collect data to generate statistics about visitors and how they use the Operator's Sites, which enables us to improve them continuously;
- maintain the user's session after logging into the Site, which facilitates its use by not having to log in again with every new activity.
- The Websites use two basic types of cookies: session cookies and persistent cookies. Session cookies are temporary files that are stored on the user's computer until the user logs out, leaves the website or disables the software (a web browser). Permanent cookies are stored in the terminal equipment of the user for the time specified in the cookie parameters or until their removal by the user.
- Cookies may be installed in the terminal equipment of the Websites' user, as well as used by advertisers and partners (Third Parties, including entities having seat in Third Countries) cooperating with the Operator.
- In particular, cookies placed on the Website User's end device may be used by entities cooperating with the Website Operator, including those having their headquarters in a Third Country. This applies, inter alia, to the following entities: Google (Google Inc. based in the USA), Facebook (Facebook Inc. based in the USA), Twitter (Twitter Inc. based in the USA).
- The operator uses Google Analytics to analyze traffic on the Website pages.
- In terms of information about user preferences collected by the Google advertising network, the user can view and edit information derived from cookies using the https://www.google.com/ads/preferences/ tool.
- Please note that most web browsers by default allow cookie installation and storage, also by our Sites, in the terminal equipment of the user. These settings can be modified in such a way as to block the automatic handling of cookies or to notify the user every time cookies are installed on the user's equipment. Changing of the cookie settings in the most popular web browsers:
- Please note that enabling cookies is required to use some of the features of these sites.
IX. Data transfer to Third Countries
- As a rule, personal data is not transferred to a Third Country or an international organization outside the European Economic Area (EEA). However, such transfer may take place within the scope described below.
- In particular, the transfer of personal data to Third Parties based in a Third Country may take place in connection with the Operator (Website Administrator) using analytical or advertising services provided by a Third Party, such as, for example, based in a Third Country (USA), Google LLC, including its services such as Google Adwords and Google Analytics.
- In such a case, the transfer takes place to the United States of America (USA), on the basis of a decision of the European Commission (the so-called Privacy Shield), stating that an adequate level of personal data protection is ensured in relation to entities participating in the program, including the provider of the above-mentioned services - Google LLC , Mountain View, California.
- The transfer of data may also take place to a Third Party having its registered office in a Third Country, in the event that the User / Client orders a service that by its nature requires the transfer of personal data to a Third Country, i.e. in particular registration of an domain name whose Domain Registry is operated only by a Third Party based in a non-EEA country or an SSL Certificate operated by such entity. In this case, personal data are transferred regardless of whether a decision of the European Commission has been issued in relation to a given third country or an international organization, stating an adequate level of data protection, or whether other safeguards specified in art. 46 or 47 of the GDPR. The data will be transferred only to the extent necessary to perform the ordered service due to the fact that only such transfer of data enables the Service to be provided - in accordance with the will of the User / Customer.
- It should also be noted that due to the specificity of the Services provided by the Operator, determining in advance and describing all possible situations of personal data transfer to a Third Country (outside the EEA), including in connection with the Registration of Domains, the purchase of SSL Certificates or ordering other Services offered by the Operator, it is impossible in this document. There are over 1,500 domains in the IANA database, including national, international and nTLD domains, whose Registers are often kept by separate organizations operating in Third Countries. More information can be obtained from the websites indicated below, accompanied by a description:
- Information about entities maintaining Domain Registers, including their place of residence, can be found on the IANA website (Internet Assigned Numbers Authority): https://www.iana.org/domains/root/db,
- Information about countries, organizations or other entities for which the European Commission has issued decisions on the determination of an adequate level of personal data protection, information is available on the official website of the Commission: https://www.ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.
X. GDPR Disclaimer