1.1. Controller – Oknoplast Sp. z o. o. with its registered office in Ochmanów, Ochmanów 117, 32-003 Podłęże, Poland.
1.2. Personal data – all information about a natural person who is identified or identifiable by reference to one or more factors specific to his/her physical, physiological, genetic, mental, economic, cultural or social identity, including device IP, location data, Internet identifier, and information collected by means of cookies or another similar technology.
1.4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
1.5. Website – the website maintained by the Controller at the address www.oknoplast.no .
1.6. User – any natural person visiting the Website or using one or more services or functionalities described in the Policy.
2. DATA PROCESSING IN CONNECTION WITH THE USE OF THE WEBSITE
2.1. In connection with the User’s use of the Website, the Controller collects data to the extent necessary to provide particular services offered, as well as information on the User’s activity on the Website. Detailed rules and objectives of processing the personal data collected during the use of the Website by the User are described below.
3. PURPOSES OF AND LEGAL BASES FOR PROCESSING DATA ON THE WEBSITE
USE OF THE SERVICE
3.1. Personal data of all persons using the Website (including their IP address or other identifiers and information collected by cookies or other similar technologies) and not being registered Users (i.e. persons who do not have a profile on the Website) shall be processed by the Controller:
3.1.1. in order to provide services by electronic means in the scope of disclosing the content gathered on the Website to the Users – in such cases, the legal basis for processing shall be the necessity of processing in order to perform the agreement (Article 6(1)(b) of the GDPR);
3.1.2. for analytical and statistical purposes – in such cases, the legal basis for the processing shall be the legitimate interest of the Controller (Article 6 (1)(f) of the GDPR) consisting in conducting analyses of Users’ activity and preferences in order to improve the functionalities and services provided;
3.1.3. in order to possibly establish and enforce claims or defend against them – the legal basis for the processing shall be the legitimate interest of the Controller (Article 6 (1)(f) of the GDPR) consisting in protecting Controller’s rights;
3.1.4. for marketing purposes of the Controller and other entities, in particular those purposes related to the presentation of behavioural advertising – the principles of processing personal data for marketing purposes are described in the ‘MARKETING’ section.
3.2. The User’s activity on the Website, including the User’s personal data, shall be recorded in system logs (a special software used to store chronological records containing information about events and activities related to the IT system used to provide services by the Controller). Information collected in the logs shall be processed primarily for the purposes of providing services. The Controller shall also process the data for technical and administrative purposes, for the purposes of ensuring the security of the information system and of managing the system, as well as for analytical and statistical purposes – the legal basis for the processing shall be the legitimate interest of the Controller (Article 6 (1)(f) of the GDPR).
3.3. If the User puts any personal data of other persons on the Website (including their name, address, telephone number, or e-mail address), it may be done only on condition that it does not violate the law in force and the personal rights of those persons.
4.1. The Controller shall process Users’ personal data in order to carry out marketing activities, which may consist in:
4.1.1. displaying to the User marketing content that is tailored to their preferences (contextual advertising);
4.1.2. displaying to the User marketing content corresponding to their interests (behavioural advertising);
4.1.3. directing e-mail notifications about interesting offers or content, which in some cases contain commercial information (a newsletter service);
4.1.4. conducting other types of activities related to direct marketing of goods and services (sending commercial information by electronic means and telemarketing activities).
4.2. In some cases, in order to carry out marketing activities, the Controller shall use profiling. This means that with automated data processing the Controller shall evaluate selected factors relating to natural persons in order to analyse their behaviour or to make predictions for the future.
4.3. The Controller shall process Users’ personal data for marketing purposes in connection with sending contextual advertising (i.e. advertising that is adjusted to the User’s preferences) to Users. In such cases, the personal data processing shall take place in connection with the execution of the legitimate interest of the Controller (Article 6 (1)(f) of the GDPR).
4.4. The Controller and their trusted partners shall process Users’ personal data, including personal data collected by cookies and other similar technologies, for marketing purposes in connection with directing behavioural advertising (i.e. advertising that is tailored to the User’s preferences) to Users. In such cases, personal data processing shall also include profiling of the Users. The use of the personal data collected by this technology for marketing purposes, in particular the use to promote the services and goods of third parties, shall require the consent of the User. This consent can be withdrawn at any time.
4.5. The Controller shall provide the newsletter service on the principles specified in the terms of service to the persons who have provided their e-mail address for this purpose and agreed to receive the newsletter. Providing the data is required for the newsletter service to be provided; failure to provide the data shall results in the impossibility of sending the newsletter.
4.6. Personal data shall be processed:
4.6.1. in order to provide the newsletter delivery service – the legal basis for processing shall be the necessity of processing in order to perform the agreement (Article 6(1)(b) of the GDPR);
4.6.2. in the case of directing marketing content to the User as part of the newsletter, the legal basis for the processing, including profiling, shall be the legitimate interest of the Controller (Article 6 (1)(f) of the GDPR) in connection with the User’s consent to receive the newsletter;
4.6.3. for analytical and statistical purposes – the legal basis for the processing shall be the legitimate interest of the Controller (Article 6 (1)(f) of the GDPR) consisting in conducting analyses of Users’ activity on the Website in order to improve the functionalities provided;
4.6.4. in order to possibly establish and enforce claims or defend against them – the legal basis for the processing shall be the legitimate interest of the Controller (Article 6 (1)(f) of the GDPR).
4.7. User’s personal data may also be used by the Controller to direct marketing content to the User through various channels, i.e. via e-mail, MMS/SMS, or telephone. Such actions shall be undertaken by the Controller only if the User has given their consent, which may be withdrawn at any time.
5. SOCIAL MEDIA
5.1. The Controller shall process personal data of the Users visiting the Controller’s profiles in social media (such as: Facebook, YouTube, Instagram, Twitter). Such data shall be processed only in connection with the profile management, including to inform the Users about the Controller’s activity and to promote various types of events, services, and products. The legal basis for the personal data processing shall be the legitimate interest of the Controller (Article 6 (1)(f) of the GDPR) consisting in networking in promoting their own brand.
6. COOKIES AND SIMILAR TECHNOLOGY
6.1. Cookies are small text files installed on a device of the User browsing the Website. The cookies collect information that facilitates the use of the website, e.g. by remembering the User’s visits to the Website and the activities performed by the User.
6.2. The Controller shall use the so-called service cookies primarily in order to deliver to the User services provided electronically and to improve the quality of such services. Therefore, the Controller and other entities providing analytical and statistical services to the Controller shall use the cookies to store information or gain access to information already stored in the telecommunications end device (computer, telephone, tablet, etc.) of the User. The cookies used for this purpose shall include:
6.2.1. cookies with data entered by the User (session ID) for the duration of the session (user input cookies);
6.2.2. authentication cookies used for services requiring authentication for the duration of the session (authentication cookies);
6.2.3. cookies used to ensure security, e.g. used to detect fraud in the field of authentication (user centric security cookies);
6.2.4. session cookies for multimedia players (e.g. flash player cookies), for the duration of the session (multimedia player session cookies);
6.2.5. permanent cookies used to customise the User interface for the duration of the session or a little longer (user interface customization cookies),
6.2.6. cookies used to monitor traffic on the website, i.e. analyse data, including Google Analytics cookies (which are files used by the Google company to analyse how the User uses the Website, to create statistics and reports on the functioning of the Website). Google does not use the collected data to identify the User or link such information to enable identification. Detailed information about the scope and rules of data collection in connection with this service can be found at: https://www.google.com/intl/pl/policies/privacy/partners.
6.3. The Controller and their trusted partners shall also use the cookies for marketing purposes, including directing behavioural advertising to the Users. For this purpose, the Controller and their trusted partners shall store information or access information already stored in the telecommunications end device (computer, telephone, tablet, etc.) of the User. The use of the cookies and the personal data collected by them for marketing purposes, in particular the use to promote the services and goods of third parties, shall require the consent of the User. This consent can be withdrawn at any time.
7. PERSONAL DATA PROCESSING PERIOD
7.1. The period of data processing by the Controller shall depend on the nature of the service provided and the purpose of processing. As a rule, the data shall be processed for the time of the service provision or the order execution, until the User withdraws their consent or effectively objects to the data processing in cases where the legal basis for data processing is the Controller’s legitimate interest.
7.2. The data processing period may be extended where processing is necessary for the establishment, exercise, and defence against possible claims and, after that period, only if and as far as required by laws. At the end of the processing period, the data shall be irretrievably removed or anonymised.
8. USER PERMISSIONS
8.1. The User shall be entitled to: access the data content and request that their data be rectified or removed, limit the processing of their data, use their right to data portability or object to the processing of their data, as well as their right to lodge a complaint with the supervisory authority competent for the personal data protection.
8.2. To the extent that User’s data are processed on the basis of consent, the consent can be withdrawn at any time by contacting the Controller. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
8.3. The User shall have the right to object to data processing for marketing purposes where the processing takes place in relation to the legitimate interest of the Controller, as well as – due to reasons related to the specific situation of the User – in other cases where the legal basis for the data processing is the legitimate interest of the Controller (e.g. in relation to the fulfilment of analytical and statistical purposes).
8.4. More information on the rights resulting from the GDPR are to be found here
9. DATA RECIPIENTS
9.1. In connection with the provision of services, personal data shall be disclosed to third parties, including in particular suppliers responsible for maintenance of IT systems, marketing agencies (in the scope of marketing services), providers of legal and analytical services, and entities related to the Controller, including entities from the Controller’s capital group.
9.2. In case of obtaining the User’s consent, the User’s data may also be shared with other entities for their own purposes, including marketing.
9.3. Personal data, including e.g. full name, telephone number, e-mail address, city, provided in connection with an inquiry submitted via e-mail address provided for this purpose on the Website, shall be made disclosed to a commercial partner belonging to the Controller’s distribution network for contact purposes and for purposes related to the handling of the inquiry. The basis for the transfer of personal data is the legitimate interest of the Controller consisting in ensuring the reliability of the business activity conducted by the Controller. To the extent that the User contacts a commercial partner directly via the e-mail address of the commercial partner provided on the Website for this purpose or that the User enters into an agreement with a commercial partner, the controller of the User’s personal data in connection with such contact or such agreement shall be the commercial partner, and the User’s personal data shall be processed in connection with the need to handle the inquiry received and to execute such an agreement. The list of the commercial partners belonging to the Controller’s distribution network is available under the ‘Contact’ tab at www.oknoplast.no .
9.4. The Controller reserves the right to disclose selected information regarding the User to the competent authorities who request such information, relying on the relevant legal basis and in accordance with the applicable laws.
10. TRANSFER OF DATA OUTSIDE THE EEA
10.1. The level of protection of personal data outside the European Economic Area (EEA) is different from that provided by the European law. For this reason, the Controller shall transfer personal data outside the EEA only if necessary and ensuring adequate level of protection, in particular by:
10.1.1. cooperation with processors of personal data in countries for which a relevant decision of the European Commission has been issued;
10.1.2. application of standard contractual clauses issued by the European Commission;
10.1.3. application of binding corporate rules approved by the competent supervisory authority;
10.1.4. if data are transmitted to the USA – cooperation with entities participating in the Privacy Shield Programme approved by decision of the European Commission.
10.2. The Controller shall always communicate its intention to transfer personal data outside the EEA at the stage of its collection.
11. SECURITY OF PERSONAL DATA
11.1. The Controller shall conduct risk analysis on an ongoing basis in order to ensure that personal data are processed by the Controller in a safe manner – ensuring, first of all, that access to data is granted only to authorised persons and only to the extent necessary for the performance of their tasks. The Controller shall ensure that all operations on personal data are registered and performed only by authorised employees and collaborators.
11.2. The Controller shall take all necessary steps to ensure that its subcontractors and other cooperators also guarantee the use of appropriate security measures, whenever they process personal data by order of the Controller.
12. CONTACT DATA
12.1. You may contact the Controller at the following e-mail address: email@example.com or postal address: Oknoplast Sp. z o.o., Ochmanów 117, 32-003 Podłęże, Poland.
13.1. The Policy is verified on an ongoing basis and, if necessary, updated. The current version of the Policy was adopted on and is effective from 24 May 2018.