Personal data includes all information relating to an identified or identifiable natural person by reference to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity, including the image, voice recording, location data, contact data, data contained in correspondence, information gathered using recording equipment or similar technologies.
The processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, making available, alignment or combination, restriction, erasure or destruction.
II. Data controller
REDNET PROPERTY GROUP Spółka z ograniczoną odpowiedzialnością with its registered office in Warsaw (02-247) at ul. Marcina Flisa 4, registered under no. KRS 0000043992, whose registration files are kept by the District Court for the Capital City of Warsaw in Warsaw, Division XIII Commercial of the National Court Register, NIP 6321799435, REGON 276944454, share capital of PLN 39,000.00 (the “Data Controller” or “RPG”) is the controller of the personal data of the Service Users.
The Data Controller has appointed the Data Protection Officer.
It is possible to contact the Data Controller in writing at the address provided above or via e-mail to the address of the Data Protection Officer: email@example.com
The personal data of the Service Users are processed in accordance with the legal regulations in effect, in particular the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter “GDPR”), and the Act on Personal Data Protection of 10 May 2018.
III. Purpose of personal data processing and basis for processing
RPG processes the personal data of the Users in the following cases and for the following purposes:
1) Ongoing service for the Users.
The personal data processing is required for the purposes of providing ongoing services to the Service Users, including in particular replying to questions concerning the offer of RPG. This occurs, in particular, when a User sends an e-mail or contacts RPG by phone, including in connection with complaints concerning the operation of the website.
Providing your personal data is voluntary, but necessary for the purposes of communication with RPG.
Personal data will be processed only in order to answer a question or perform a request submitted in the message. The legal basis for the data processing is the legitimate interest of the Data Controller [Article 6(1)(f) GDPR] consisting in services provided to customers or prospective customers.
In such case, the personal data are processed also for subsidiary purposes of the Data Controller, including:
exercise, establishment or defence of legal claims which constitutes the legitimate interest of the Data Controller – [Article 6(1)(f) GDPR];
archiving and evidence purposes arising from the legitimate interest to protect information in the case of a lawful need or obligation to demonstrate facts – [Article 6(1)(f) GDPR].
2) Ensuring security of the Service.
The Data Controller also processes the Users’ data to ensure security of the Service operation.
In such cases, the Data Controller processes the following data of the Users: data stored in the system logs such as computer IP, URL read.
The provision of data is necessary to use the Service.
In such case, the Data Controller processes the data on the basis of a legitimate interest of the Data Controller [Article 6(1)(f) GDPR], i.e. ensuring the security of the Service use.
3) Use of the Service.
In order to provide the User with the possibility to use the Service, in particular with regard to making available to the User the option to view, reproduce and read information and materials made available via the Service as well as development of the Service functionalities, the Data Controller processes the data stored in the system logs, including the computer IP or URL read.
In such case, the data processing by the Data Controller is necessary to perform a contract on provision of electronic services to which the User is a party [Article 6(1)(b) GDPR].
4) Handling matters connected with exercise of the data subjects’ rights.
The Data Controller also processes personal data in connection with handling matters with regard to exercising the data subjects’ rights as provided for in GDPR.
In such case, the Data Controller processes:
(a) data that make it possible to identify the person submitting the request such as name and surname, e-mail address, telephone number, address;
(b) identifier of the case in the internal system of the Data Controller and data describing the subject matter of the request or complaint;
(c) data describing the manner of performance of the case, including correspondence with the data subject.
The provision of personal data is voluntary, but necessary for the purposes of exercising the rights.
The data are processed for the purposes of performance of legal obligations of the Data
Controller as provided for in the personal data protection regulations, in particular Article 12-22 GDPR [Article 6(1)(c) GDPR].
In this case, personal data are also processed in order to achieve a subsidiary objective of the Data Controller, i.e. for archiving and evidence purposes arising from the legitimate interest to protect information in the case of a lawful need or obligation to demonstrate facts – [Article 6(1)(f) GDPR].
IV. Period of storage of personal data.
RPG does not store the Users’ personal data for a period longer than necessary to achieve the objectives for which they have been collected. The period of processing depends on the purpose of processing, in particular:
1) In the case of data processing in order to answer the Users’ enquiries submitted via e-mail, phone or other means of communication, the data will be processed for a period necessary to answer the given enquiry, and then:
a. in the case of execution of a contract or contracts with RPG, for a period stated in the information clause attached to such contract/contracts;
b. in the case of a lack of repeated contact, depending on the subject matter of the contract, the data will be erased 2 years after the last contact or at the end of the period of limitation of potential claims (in principle, after 2 years, at the end of a calendar year).
2) In the case of data processing for the purposes of ensuring security of the Service and fraud prevention, the data will be processed for 2 years following the date of gathering.
3) In the case of data processing for the purposes of executing and performing a contract for the provision of electronic services, the User’s data will be processed during the period of performance of the contract for the provision of electronic services.
4) In the case of data processing for the purposes of establishment, exercise or defence of claims, the data will be processed no longer than until expiry of the period of limitation of potential claims.
5) Personal data processed in order to demonstrate and perform the obligations of RPG, in particular those established pursuant to GDPR, will be processed solely to the extent and for a period necessary to perform such obligations and to demonstrate that the obligations of RPG have been complied with.
V. Recipients of your personal data.
Subject to the legal restrictions, RPG may transfer the Users’ personal data to the following entities:
a) bodies and entities authorised to receive the User’s data in accordance with the applicable laws;
b) entities providing services or making available IT systems to the Data Controller;
c) entities providing services of delivery and maintenance of software used to provide the Service;
d) entities providing mail or courier services;
e) entities providing to the Data Controller services in the area of personal data protection and security of IT systems;
f) entities providing legal services, entities providing accounting services, consulting companies, entities providing damage liquidation services cooperating with the Data Controller;
g) employees and associates of the Data Controller and employees and associates of the above-mentioned entities.
VI. Information on automated decision-making, including profiling
VII. Data transfers to countries outside the EEA.
In connection with the use of the Service, the User’s personal data may be transferred outside the EEA in relation to the use of Google’s and Facebook’s tools, in particular to the United States. When implementing specific tools in its service or using third party services, RPG always makes sure that a potential transfer of personal data to a third country or recipient in such country guarantees the necessary appropriate data protection, in particular by way of:
(a) cooperation with personal data processors in the countries with respect to which the appropriate decision of the European Commission has been issued;
(b) application of standard contractual clauses of the European Commission;
(c) making use of binding corporate rules approved by the appropriate supervisory authority.
Such criteria are met with regard to the above-mentioned tools. The User may obtain a copy of such data.
VIII. User Rights.
In accordance with GDPR, the User has the following rights:
(1) right to access processed data – the data subject has the right to obtain from the Data Controller information on personal data processing, including purposes of the processing, categories of personal data processed, legal basis of processing, planned period of processing and recipients to whom such data are disclosed as well as to obtain a copy of the personal data processed by the Data Controller;
(2) right to rectify data – the data subject has the right to request the Data Controller to rectify incorrect data or complete incomplete personal data of the data subject;
(3) right to erase data – the data subject has the right to obtain from the Data Controller the erasure of his/her personal data without undue delay if such personal data are no longer necessary in relation to the purposes for which they were collected or the data subject withdraws consent on which the processing is based (which has no impact on lawfulness of the processing performed before such withdrawal of consent);
(4) right to restrict processing – the data subject has the right to request the Data
Controller to restrict the processing in the following cases:
probable inaccuracy of personal data (until verification of accuracy by the Data Controller);
the processing is unlawful, and the data subject objects to the personal data erasure and requests the restriction of the use of such data;
the purpose of the personal data processing by the Data Controller has ceased but the data subject needs such data for the purposes of establishment, exercise or defence of claims;
the data subject has objected to the processing;
(5) right transmit data – the data subject whose data are processed on an automated basis based on the data subject’s consent or a contract has the right to request the Data Controller to make available (in a commonly used readable format) the data provided by the data subject or to transmit the data to another data controller (if possible technically);
(6) right to withdraw consent – if the processing is carried out based on consent, the data subject has the right to withdraw such consent at any time (which has no impact on lawfulness of the processing performed before such withdrawal of consent);
(7) right to object – the data subject has the right to object to the processing of his/her data based on the legitimate purpose of the Data Controller (the objection should contain a rationale) unless the Data Controller demonstrates the existence of overriding bases for the processing, however, in the case when the objection pertains to the processing of personal data for the purposes of direct marketing, including profiling, it is not required to submit a rationale and the Data Controller is obliged to comply.
IX. Submission of requests to exercise rights.
A request concerning exercise of the rights of the data subject may be submitted to:
1) in writing to the address of the Data Controller: Marcina Flisa 4, 02-247 Warszawa, with a note “personal data”, or
2) via e-mail to the Data Protection Officer: firstname.lastname@example.org
X. Right to lodge a complaint to a supervisory authority.
If the data subject believes that the personal data processing violates the GDPR or other generally applicable personal data protection regulations, the data subject may lodge a complaint with the President of the Personal Data Protection Office.
a) amendments to the applicable regulations, in particular those concerning personal data protection, telecommunications law, electronic services or consumer rights, affecting the rights and obligations of the Data Controller or the rights and obligations of the data subjects;
b) development of electronic services due to Internet technology progress, including application and development of new solutions, e.g. with regard to functionalities;
Information on such amendments will be displayed in the Service or sent via e-mail to the Users holding an Account.