Privacy policy

1.DEFINITIONS

1.1. Controller – CAR NET Polska sp. z o.o. with its registered office in Kalisz, ul. Podmiejska 4, 62-800 Kalisz, entered into the Register of Entrepreneurs of the National Court Register kept by the District Court Poznań – Nowe Miasto and Wilda in Poznań, IX Economic Division of the National Court Register under KRS number: 0000385782, NIP: 6182134091; REGON: 30174362700000.

1.2. Personal data – information about a natural person who is identified or identifiable by one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity, including device IP, location data, internet identifier and information collected through cookies and other similar technology.

1.3. Policy – this Privacy Policy.

1.4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.

1.5. Website – the website operated by the Controller at www.carnet.pl.

1.6. User – any natural person visiting the Website or using one or more of the services or functionalities of the Website as described in the Policy.

1.7. Data Subject – the natural person to whom the personal data processed by the Controller relates.

2. DATA PROCESSING BY THE CONTROLLER

2.1. In connection with its business activities, the Controller collects and processes Personal Data in accordance with the relevant legislation, including in particular the GDPR, and the data processing rules provided for therein.

2.2. The Controller shall ensure transparency in the processing of Personal Data, in particular, always informing about the processing at the time of collection, including the purpose and legal basis of the processing (e.g. when concluding a contract for the sale of goods or services). The Controller shall ensure that the data are only collected to the extent necessary to fulfil the stated purpose and are only processed for as long as necessary.

2.3. When processing Personal Data, the Controller shall ensure its security and confidentiality and that data subjects have access to information about the processing. Should a breach of the protection of Personal Data (e.g. a “leak” of data or a loss of data) occur despite the security measures in place, the Controller will inform the Data Subjects of such an event in accordance with the regulations.

2.4. In connection with the User’s use of the Website, the Controller collects data to the extent necessary to provide electronic services, as well as information about the User’s activity on the Website. The following describes the specific principles and purposes of the processing of Personal Data collected during the User’s use of the Website.

3. PURPOSES AND LEGAL BASES OF DATA PROCESSING BY THE CONTROLLER

USE OF THE WEBSITE

3.1. Personal data of all persons using the Website (including IP address or other identifiers and information collected through cookies or other similar technologies), are processed by the Controller in order to:

3.1.1. the provision of services electronically in terms of providing Users with access to the content collected on the Website – the legal basis for the processing is the necessity of the processing for the performance of the contract (Article 6(1)(b) GDPR);

3.1.2. analytical and statistical – the legal basis for the processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR), consisting of conducting analyses of Users’ activities, as well as their preferences in order to improve the functionalities used and services provided;

3.1.3. technical and administrative work connected with the security and management of the Website – in which case the legal basis for the processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR), consisting of carrying out IT and administrative work aimed at maintaining the security and proper functioning of the Website;

3.1.4. the establishment and assertion of claims or the defence against claims – the legal basis for the processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR), consisting of the defence of its economic interests;

3.1.5. the Controller’s marketing – the principles of processing Personal Data for marketing purposes are described in the MARKETING section.

3.2. The User’s activity on the Website, including their Personal Data, is recorded in system logs (a special computer programme used to keep a chronological record containing information on events and activities that relate to the IT system used to provide services by the Controller). The information collected in the logs is processed primarily for the purposes of providing services. The Controller also processes the data for technical, administrative purposes, for the purposes of ensuring the security of the IT system and the management of this system, as well as for analytical and statistical purposes – in this regard, the legal basis for processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR), consisting of providing and improving the functionalities offered to Users.

PHONEBOX AND CALL REQUEST FORM FOR TELEPHONE BOOKINGS

3.6. The Controller provides the User with the possibility to leave a telephone number via the Phonebox and via an electronic contact form. The Phonebox and the form are used to order a call with the Controller aimed at making a telephone reservation by the User, however, in the case of the electronic form, this applies only to making reservations for vehicles not available on the Website. The use of the Phonebox or the form requires the submission of Personal Data in the form of a telephone number. The provision of a telephone number is voluntary and implies consent for the Controller to make telephone contact with the User.

3.7. Personal data is processed for the purpose of:

3.7.1. making contact at the request of the User for the purpose of accepting a booking or making an offer – the legal basis for the processing is the Controller’s legitimate interest in relation to the consent given to make contact (Article 6(1)(f) GDPR), consisting of acquiring new customers;

3.7.2. establishing and asserting claims or the defence against claims – the legal basis for the processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR), consisting of the defence of its economic interests.

CHATBOX

3.8. The Controller shall provide a means of contacting the Controller, including directing an enquiry to the Controller, using electronic contact forms. The use of the form requires the submission of Personal Data necessary to contact the User and respond to the request. The user may also provide other data in order to facilitate contact or the handling of an enquiry. The provision of data marked as mandatory is required in order to receive and handle the enquiry, and failure to do so will result in the impossibility of service. The provision of Personal Data marked as optional is voluntary and implies consent to the processing of such Personal Data by the Controller.

3.9. Personal data is processed for the purpose of:

3.9.1. establishing contact at the User’s request and for the Controller to carry out the conversation by means of the Chatbox functionality available on the Website – the legal basis for the processing is the Controller’s legitimate interest in connection with the consent given to undertake contact (Article 6(1)(f) GDPR), consisting of acquiring new customers, and, as regards Personal Data provided voluntarily, the consent given.

3.9.2. establishing and asserting claims or the defence against claims – the legal basis for the processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR), consisting of the defence of its economic interests.

CONCLUSION OF RESERVATION AGREEMENTS AND VEHICLE RENTAL AGREEMENTS

3.10. The Controller makes it possible to conclude booking agreements and vehicle rental agreements via the functionalities made available on the Website. The provision of Personal Data is required in order to conclude and perform the contracts concluded with the Controller, and failure to do so will result in the impossibility to conclude and perform these contracts. The provision of Personal Data marked as optional is voluntary and implies consent to the processing of such Personal Data by the Controller.

3.11 Detailed information on the processing of personal data in connection with the conclusion of booking agreements is available here.

3.12. The conclusion of a vehicle rental booking agreement can also be made by telephone contact with the Controller’s hotline.

NEWSLETTER

3.13. By filling in the application forms within the Website, the User may also express a wish to use the newsletter service. In this case, the Personal Data provided by the User as part of the newsletter subscription form will be processed by the Controller for the purpose of sending a newsletter containing commercial information about the Controller’s activities. The provision of this data is necessary in order to send the newsletter, and failure to provide this data will result in the inability to receive the newsletter.

3.14. Personal data is processed for the purpose of:

3.14.1. the provision of the newsletter mailing service – the legal basis for the processing is the necessity of the processing for the performance of the contract (Article 6(1)(b) of the GDPR);

3.14.2. the establishment and assertion of claims or the defence against claims – the legal basis for the processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR), consisting of the defence of its economic interests.

E-MAIL CORRESPONDENCE

3.15. When correspondence is addressed to the Controller by e-mail that is not related to the services provided to the sender or to any other contract concluded with the sender, the Personal Data contained in this correspondence is processed solely for the purpose of communication and resolution of the matter to which the correspondence relates.

3.16. Personal data is processed for:

3.16.1. the conduct of correspondence and the resolution of a possible matter to which the correspondence relates – the legal basis for the processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR) consisting of the conduct of correspondence addressed to it in connection with its business activities;

3.16.2. the establishment or assertion of possible claims or the defence against such claims by the Controller – the legal basis for the processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR) in defending its business interests.

TELEPHONE CONTACT

3.17. When contacting the Controller by telephone, on matters not related to the contract concluded or the services provided, the Controller may request Personal Data only if it is necessary to handle the matter to which the contact relates. Telephone conversations may be recorded.

3.18. Personal data is processed for:

3.18.1. the provision of contact and service for a telephone enquiry – the legal basis for the processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR) consisting of the need to resolve a reported matter related to its business activities;

3.18.2 verification of the quality of service of the telephone application – the legal basis for the processing is the legitimate interest of the Controller (Art. 6(1)(f) GDPR) to improve the quality of service to Data Subjects, including the handling of complaints;

3.18.3. establishing or asserting of possible claims or the defence against such claims by the Controller – the legal basis for the processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR) in defending its business interests.

DATA COLLECTION THROUGH BUSINESS CONTACTS

3.19. In connection with its business activities, the Controller also collects personal data in other cases – e.g. during business meetings or by exchanging business cards – for the purposes of initiating and maintaining business contacts. The legal basis for the processing in this case is the legitimate interest of the Controller (Article 6(1)(f) GDPR), consisting of networking in connection with business activities.

DATA COLLECTION THROUGH BUSINESS CONTACTS

GEOLOCATION ON THE SITE

3.20. The Controller has provided a tool on the Website to geolocate the User’s device using the Google Maps API. The use of this functionality is optional and not required for the correct use of the Website. Location data is processed solely for the purpose of providing directions to the Controller’s branches where its services can be used, in which case the basis for the processing of this data is the User’s consent (Article 6(1)(a) GDPR). The above data is processed on a one-off basis, i.e. the Controller does not process them continuously.

3.21. The User’s use of the Google Maps API tool on the Website is further governed by the current version of the Google Maps and Google Earth Additional Terms of Service, which can be found here.

3.22. As part of the use of this tool, Google processes User’s personal data in accordance with the terms described in the current version of Google’s Privacy Policy, available here.

ADDING OPINIONS

3.23. The Administrator processes personal data of Entities leaving opinions about the Administrator on external platforms Trustpilot and Google Maps. This data is processed for the purpose of moderating opinions – the legal basis for the Administrator’s processing of personal data for this purpose is the Administrator’s legitimate interest (Article 6(1)(f) RODO) consisting in the effective management of CAR NET branch business cards in the aforementioned services.

3.24. The above information does not apply to data processing by the administrators of the Google Maps Opinions and Trustpilot services. For more detailed information on the purpose and scope of data collection by the services, please follow the links below:

3.24.1. Trustpilot: here;

3.24.2. Google Maps: here.

SOCIAL NETWORKS

3.25. The Controller processes the personal data of Users visiting the Controller’s social media profiles (Facebook, YouTube, LinkedIn, Instagram, GoWork).

3.26 Personal data is processed exclusively in connection with the running of the profile, including:

3.26.1. informing Users about the Controller’s activities and promoting various events, services and products – the legal basis for the processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR) in promoting its own brand;

3.26.2 analytical and statistical – the legal basis for the processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR), consisting of improving the quality of the services provided and analysing the preferences and activities of Users visiting the Controller’s social media profiles in order to improve the functionalities used and services provided.

3.27. The above information does not apply to the processing of data by social network administrators (Facebook, YouTube, LinkedIn, Instagram, GoWork). For detailed information on this purpose and scope of data collection by social networks, please follow the links below:

3.27.1. Facebook: here;

3.27.2. YouTube: here;

3.27.3. LinkedIn: here;

3.27.4. Instagram: here;

3.27.5. GoWork: here.

VIDEO SURVEILLANCE

3.28. In view of the need to ensure the safety of persons and property, as well as to maintain the secrecy of information, the disclosure of which could expose the Controller to damage, the Controller uses video monitoring of the premises and grounds managed by it. The data collected in this way is not used for any purpose other than that described below.

3.29. Personal data in the form of surveillance footage is processed for the purpose of:

3.29.1. ensuring security and order on the premises – the legal basis for the processing is the Controller’s legitimate interest (Article 6(1)(f) of the GDPR), consisting of ensuring the security of the Controller’s staff and persons residing on its premises or in its branches, protecting the property belonging to the Controller, maintaining the secrecy of information the disclosure of which could expose the Controller to damage;

3.29.2. defending against claims made against the Controller or to establish and assert claims by the Controller – the legal basis for the processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR) in defending its business interests.

3.30. The area covered by the Controller’s monitoring is marked with appropriate graphic signs.

RECRUITMENT

3.31. As part of the recruitment processes, the Controller expects the transfer of Personal Data (e.g. in a CV or resume) only to the extent stipulated by law, including labour law (where an employment contract is the preferred form of employment) or required by the Controller in the content of the advertisement. Therefore, information should not be provided more widely. In the event that the applications sent contain additional data beyond that indicated by law or by the Controller in the content of the advertisement, their processing will be based on the candidate’s consent (Article 6(1)(a) of the GDPR), expressed through the unambiguous affirmative action of the candidate sending the application documents. In the event that applications sent contain information that is not relevant to the purpose of the recruitment, they will not be used or taken into account in the recruitment process.

3.32. Personal data is processed:

3.32.1. where the preferred form of employment is a contract of employment – in order to comply with the obligations arising from the provisions of the law, related to the employment process, including primarily the Labour Code – the legal basis for the processing is the legal obligation incumbent on the Controller (Article 6(1)(c) of the GDPR in connection with the provisions of the labour law), and with regard to data on health status if it concerns you – to verify the possibility of exercising the rights to which you are entitled as a disabled person under the provisions of the law, in particular under the Act on Professional and Social Rehabilitation and Employment of Disabled Persons. Processing of such data by the Controller will only take place if you voluntarily provide this data. The basis for the processing is the necessity for the fulfilment of obligations and the exercise of specific rights you have as a data subject in the field of labour law, social security and social protection (Article 9(2)(b) GDPR);

3.32.2. where the preferred form of employment is a civil law contract – in order to conduct the recruitment process – the legal basis for processing the data contained in the application documents is to take action prior to the conclusion of a contract at the request of the data subject (Article 6(1)(b) GDPR);

3.32.3. for the purpose of carrying out the recruitment process in respect of data not required by law or by the Controller, as well as for the purpose of future recruitment processes – the legal basis for processing is consent (Article 6(1)(a) GDPR);

3.32.4. in order to verify the qualifications and skills of the candidate or applicant and to establish the terms and conditions of the cooperation – the legal basis for the processing of the data is the legitimate interest of the Controller (Article 6(1)(f) GDPR). The Controller’s legitimate interest is to vet job applicants and to determine the terms and conditions of possible cooperation;

3.32.5. in order for the Controller to establish or assert possible claims or to defend against claims made against the Controller – the legal basis for data processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR).

3.33. To the extent that Personal Data is processed on the basis of consent given, this consent may be withdrawn at any time, without affecting the lawfulness of processing carried out prior to withdrawal. If consent is given for the purposes of future recruitment processes, personal data is deleted after two years – unless consent is withdrawn beforehand.

3.34. The provision of data within the scope of Article 22(1) of the Labour Code is required – in the case of the candidate’s preference for employment based on an employment contract – by law, including primarily the Labour Code, and in the case of the candidate’s preference for employment based on a civil law contract – by the Controller. The consequence of failing to provide this data is that the application in question cannot be considered in the recruitment process. The provision of other data is voluntary.

4. MARKETING ON THE WEBSITE

4.1. The Controller processes Users’ personal data in order to carry out marketing activities, which may consist of:

4.1.1. displaying marketing content to the User that matches the User’s interests (behavioural advertising).

4.1.2. carrying out activities related to direct marketing of its own goods and services (sending commercial information by electronic means and telemarketing activities).

BEHAVIOURAL ADVERTISING

4.2. The Controller and its trusted partners process Users’ Personal Data, including Personal Data collected through cookies and other similar technologies, for marketing purposes in connection with targeting Users with behavioural advertising (i.e. advertising that is tailored to the User’s preferences).

5. COOKIES AND SIMILAR TECHNOLOGY

5.1. Cookies are small text files installed on the User’s device. Cookies collect information that makes it easier to use the website – e.g. by remembering information about the user such as login information or language preferences. CAR NET Polska sp. z o.o. is the Controller of data processed in connection with the use of cookies. The Controller uses its own files on the Website, which are installed directly by the Website. Third-party cookies – which are cookies from a domain other than that of the website visited – are also used, primarily for the Controller’s analytical and advertising activities.

5.2. The Website uses cookies primarily to ensure the correct functioning of the website, to remember the User’s choices on the website – and, if the User has given the appropriate consent, also to analyse and track traffic on the Website and to tailor advertising content to interests. Cookies are also installed on the Website, based on the consent obtained, to enable the use of social media functionalities.

5.3. Below are details of the cookies that the Controller uses on the Website. The Controller regularly uses tools to scan the Website to determine what cookies are stored on the User’s device, so that the list of cookies used is as accurate as possible. The Controller uses the following categories of cookies: essential, functional, analytical, advertising cookies and social media cookies.

ESSENTIAL COOKIES

5.4. The Controller’s use of essential cookies is necessary for the proper functioning of the website. These files are installed in particular for the purposes of saving login sessions or filling in forms, as well as for setting privacy options.

5.5. The legal basis for the processing of data in connection with the use of the necessary cookies is the necessity of the processing for the performance of the contract (Art. 6(1)(b) GDPR).

5.6. If the User wishes to obtain more information on the individual files in this category, i.e. the name of each cookie, description of the operation, validity period and origin, click on the “Manage cookies” button, which can be found in section 7 of the Privacy Policy, or the button with the same content available in the footer of each subpage of the Website. When the cookie banner appears, select the “Manage cookies” button and then expand the “Essential cookies” list, followed by the “Details” button below.

FUNCTIONAL AND ANALYTICAL COOKIES

5.7. Functional cookies are used to remember and adapt the Website to the User’s choices in terms of, among other things, language preferences. Functional cookies may be installed by the Controller and its partners through the Website.

5.8. Analytical cookies make it possible to obtain information such as the number of visits and traffic sources on the Website. These are used to determine which pages are more and which are less popular and to understand how Users navigate the site by keeping statistics on traffic to the Website. Data processing is carried out in order to improve the performance of the Website. The information collected by these cookies is aggregated and is therefore not intended to establish your identity. Functional cookies may be installed by the Controller and its partners through the Website.

5.9. The legal basis for the processing of Personal Data in connection with the use of functional and analytical cookies by the Controller is its legitimate interest (Article 6(1)(f) GDPR), consisting in ensuring the highest quality of services provided on the Website, in connection with the User’s consent to their storage (separate for analytical files, separate for functional files).

5.10. The processing of Personal Data in connection with the use of functional and analytical cookies is subject to the User’s consent to the use of (separately) functional and analytical cookies via the cookie consent management platform. This consent can be withdrawn at any time via this platform. The withdrawal of consent shall not affect the lawfulness of the processing carried out before its withdrawal.

5.11. If the User wishes to obtain more information on the individual files of these categories, i.e. the name of the individual cookies, description of the function, validity period and origin, click on the “Manage cookies” button in section 7. Privacy Policy – “Manage cookies” or a button with the same content available in the footer of each subpage of the Website. When the cookie banner appears, select the “Manage cookies” button and then expand either the “Analytical cookies” or “Functional cookies” list, followed by the “Details” button under each list.

ADVERTISING COOKIES

5.12. Advertising cookies allow the advertising content displayed to be tailored to the interests of Users within and outside the Website. Based on the information from these cookies and the User’s activity on other sites, a profile of the User’s interests is built. Advertising cookies may be installed by the Controller and its partners through our Website.

5.13. The legal basis for the processing of Personal Data in connection with the use of advertising cookies by the Controller for this purpose is the Controller’s legitimate interest (Article 6(1)(f) GDPR), consisting of promoting the Controller’s brand and informing about the Controller’s current offer, including by directing marketing information to Website Users corresponding to their interests, in connection with the User’s consent to the storing of advertising cookies.

5.14. The processing of Personal Data in connection with the use of advertising cookies is possible after obtaining the User’s consent to the use of consent via the consent management platform. This consent can be withdrawn at any time via this platform. The withdrawal of consent shall not affect the lawfulness of the processing carried out before its withdrawal.

5.15. If the User wishes to obtain more information on the individual cookies in this category, i.e. the name of the individual cookie, description of the function, validity period and origin, click on the “Manage cookies” button in section 7. Privacy Policy – “Manage cookies” or a button with the same content available in the footer of each subpage of the Website. When the cookie banner appears, select the “Manage cookies” button and then expand the “Advertising cookies” list, followed by the “Details” button below.

SOCIAL MEDIA COOKIES

5.16. These cookies are installed by the Controller’s partners in order to tailor the advertising content displayed on the social media used by the User. Based on the information from these cookies and activity on other sites or social media, an interest profile is built. This ensures that the content displayed is tailored to the individual. Social media cookies do not directly store personal data, but identify the web browser and hardware. If you do not allow these cookies to be used, the Controller will not be able to prevent you from seeing the same advertising or allow you to like and share content posted by the Controller on social media.

5.17. If the User wishes to obtain more information on the individual files in this category, i.e. the name of the individual files, description of the function, validity period and origin, click on the “Manage cookies” button in section 7. Privacy Policy – “Manage cookies” or a button with the same content available in the footer of each subpage of the Website. When the cookie banner appears, select the ‘Manage cookies’ button and then expand the ‘Social media cookies’ list, then the ‘Details’ button below.

6. ANALYTICAL AND MARKETING TOOLS USED BY THE CONTROLLER’S PARTNERS

6.1. The Controller and its Partners apply various solutions and tools used for analytical and marketing purposes. Below is some basic information on these tools. Please refer to the privacy policy of the respective partner for further details.

6.2. An up-to-date and complete list of the Controller’s Partners is available at: https://carnet.pl/lista-partnerow.

GOOGLE ANALYTICS

6.3. Google Analytics cookies are cookies used by Google to analyse your use of the Website, to create statistics and reports on how the Website works. Google does not use the data collected to identify you, nor does it combine this information to enable identification. Detailed information on the scope and principles of data collection in connection with this service can be found at the following link: https://www.google.com/intl/pl/policies/privacy/partners.

GOOGLE ADS

6.4. Google Ads is a tool that allows the effectiveness of advertising campaigns carried out by the Controller to be measured, allowing data such as keywords or the number of unique users to be analysed. The Google Ads platform also allows our ads to be displayed to people who have visited the Service in the past. Information on Google’s processing of the above service is available at the following link: https://policies.google.com/technologies/ads?hl=pl.

GOOGLE TAG MANAGER

6.5. Google Tag manager is a tool for managing scripts on the Website. It can be used to install various types of scripts on a website. This includes scripts related to the consents given by the User, scripts that track User behaviour through analytical tools such as Google Analytics, or conversion tracking from advertising systems such as Google Ads. In connection with the use of the tool, Google collects aggregated data on the running of these scripts, without being able to identify a specific User. Information on Google’s processing of the above service is available at the following link: https://support.google.com/tagmanager/answer/9323295?hl=pl&ref_topic=3441532.

GOOGLE MAPS WIDGET PRO PLUG-IN

6.6. The Google Maps plugin is a tool that allows you to easily display Google Maps in a widget or using short code, so that maps can be easily displayed in a post, page or custom post type to provide you with directions to the Controller’s branches where the User can use the services they offer. When using this tool, cookies are installed on the User’s device by Google. Information on Google’s processing of the above service is available at the following link: https://policies.google.com/privacy?hl=pl#infocollect.

FACEBOOK PIXELS

6.7. Facebook Pixels is a tool for measuring the effectiveness of advertising campaigns carried out by the Controller on Facebook. The tool allows for advanced data analytics to optimise the Controller’s activities also using other tools offered by Facebook.

6.7.1. With regard to the personal data processed using this tool, Meta Platforms Ireland Limited, based in Ireland, has – together with the Controller – the status of joint controller of the personal data. Personal data is processed by the joint controllers for measurement and analytical activities within the Website. The Controller and Meta have adopted a joint arrangement in this regard, which can be found at this link: https://www.facebook.com/privacy/policy/?locale=pl_PL and https://www.facebook.com/legal/controller_addendum.

HOTJAR

6.8. HotJar is a tool that allows the Controller to carry out analyses of User activity on the Website, e.g. through surveys or satisfaction surveys, and through the anonymous collection of information about clicks on particular areas of the Website. The tool does not identify the user. Detailed information on the data collected via HotJar and how to deactivate User monitoring is available at the following link: https://www.hotjar.com/privacy.

SALES MANAGO

6.9. Sales Manago is a tool to identify people entering a website or online shop and monitor their behaviour in online channels. It allows the construction of unique behavioural profiles of specific individuals, which makes it possible to automate and personalise marketing processes carried out in email channels, advertising networks, in the mobile channel, direct sales, and through dynamic content on the Website. Details of the data collected through the Sales Mango tool are available at: https://salesmanago.pl/info/obowiazek-informacyjny.htm.

7. MANAGEMENT OF COOKIE SETTINGS

7.1. The use of cookies to collect data via them, including accessing the data stored on the User’s device, requires the User’s consent. On the Website, the Controller receives consent from the User via the cookie consent management platform. This consent may be withdrawn at any time according to the rules described in section 7.4 below.

7.2. Consent is not required only in the case of cookies, the use of which is necessary for the provision of the telecommunications service (data transmission to display content) – the User does not have the option to opt out of these cookies if he or she wishes to use the Website.

7.3. In order to receive advertising tailored to the User’s preferences, in addition to agreeing to the installation of cookies through the cookie consent management platform, it is necessary to maintain appropriate browser settings that allow the storage of cookies from the Website in the User’s terminal equipment.

7.4. Withdrawal of consent for the collection of cookies on the Website is possible via the cookie consent management platform. The user can return to the banner by clicking on the “Manage cookies” button below or on a button with the same content available in the footer of each subpage of the Website.

7.5. Once the banner is displayed, the User can withdraw consent by clicking on the “MANAGE COOKIES” button. Then move the slider next to the selected cookie category and press the “SAVE SETTINGS” button.

7.6. The user also has the option to withdraw consent by changing their browser settings. Detailed information can be found at the links below:

7.6.1. Internet Explorer: https://support.microsoft.com/pl-pl/windows/zarz%C4%85dzanie-plikami-cookie-w-przegl%C4%85darce-microsoft-edge-wy%C5%9Bwietlanie-zezwalanie-blokowanie-usuwanie-i-u%C5%BCywanie-168dab11-0753-043d-7c16-ede5947fc64d

7.6.2. Mozilla Firefox: http://support.mozilla.org/pl/kb/ciasteczka

7.6.3. Google Chrome: https://support.google.com/chrome/answer/95647?hl=pl

7.6.4. Opera: https://help.opera.com/pl/latest/web-preferences/

7.6.5. Safari: https://support.apple.com/kb/PH5042?locale=en-GB.

7.7. The user can verify the status of their current privacy settings for the browser used at any time using the tools available at the links below:

7.7.1. http://www.youronlinechoices.com/pl/twojewybory

7.7.2. http://optout.aboutads.info/?c=2&lang=EN.

7.8. In order to exercise your rights to access, rectify, delete, restrict, transfer, object to the processing of your personal data, lodge a complaint or ask any other question regarding cookies, please send your request to: 4 Podmiejska Street, 62-800 Kalisz or other contact details of the Controller indicated in the Privacy Policy.

8. PERIOD OF PROCESSING OF PERSONAL DATA

8.1. The duration of the Controller’s data processing depends on the type of service provided and the purpose of the processing. As a general rule, data shall be processed for the duration of the service, until the consent given is withdrawn or an effective objection is made to the processing in cases where the legal basis for the processing is the legitimate interest of the Controller.

8.2. The processing period may be extended if the processing is necessary for the establishment and assertion of possible claims or the defence against claims, and thereafter only if and to the extent required by law. At the end of the processing period, the data are irreversibly deleted or anonymised.

9. RIGHTS IN RELATION TO THE PROCESSING OF PERSONAL DATA

DATA SUBJECTS’ RIGHTS

9.1. Data subjects have the following rights:

9.1.1. the right to be informed about the processing of personal data – on this basis the Controller shall provide the individual making the request with information about the data processing, including in particular the purposes and legal grounds for the processing, the scope of the data held, the entities to which the data are disclosed and the planned date of data erasure;

9.1.2. the right to obtain a copy of the data – on this basis the Controller shall provide a copy of the processed data concerning the individual making the request;

9.1.3. right to rectification – The Controller is obliged to rectify any inconsistencies or errors in the Personal Data processed and to complete them if they are incomplete;

9.1.4. right to erasure – on this basis, you can request the erasure of data whose processing is no longer necessary for any of the purposes for which they were collected;

9.1.5. the right to restrict processing – if such a request is made, the Controller shall cease performing operations on the Personal Data – with the exception of operations to which the Data Subject has given his or her consent – and their storage, in accordance with the retention rules adopted or until the reasons for restricting the processing cease to exist (e.g. a decision is issued by a supervisory authority authorising further processing);

9.1.6. the right to data portability – on this basis – insofar as the data are processed by automated means in connection with a contract concluded or consent given – the Controller shall issue the data provided by the data subject in a computer-readable format. It is also possible to request that this data be sent to another entity, provided, however, that the technical capacity exists for this on the part of both the Controller and the designated entity;

9.1.7. the right to object to processing for marketing purposes – if applicable, the Data Subject may object at any time to the processing of Personal Data for marketing purposes, without having to justify such objection;

9.1.8. the right to object to other purposes of processing – The Data Subject may object at any time, on grounds relating to their particular situation, to the processing of Personal Data that is carried out on the basis of a legitimate interest of the Controller (e.g. reasons relating to the protection of property); the objection in this respect shall contain a justification;

9.1.9. the right to withdraw consent – if the data are processed on the basis of the consent given, the Data Subject has the right to withdraw the consent at any time, which, however, does not affect the lawfulness of the processing carried out before the withdrawal;

9.1.10. the right to complain – in the event that the processing of Personal Data is considered to be in breach of the provisions of the GDPR or other provisions relating to the protection of Personal Data, the Data Subject may lodge a complaint with the supervisory authority for the processing of Personal Data having jurisdiction over the Data Subject’s habitual place of residence, place of work or place where the alleged breach has been committed. In Poland, the supervisory authority is the President of the Office for Personal Data Protection.

10. SUBMITTING REQUESTS RELATED TO THE EXERCISE OF RIGHTS

10.1. A request for the exercise of Data Subjects’ rights can be made:

10.1.1. in writing to the Controller’s address;

10.1.2. by e-mail to: iod@carnet.pl

10.2. The request should, as far as possible, indicate precisely what is being requested, i.e. in particular:

10.2.1. what right the requester wishes to exercise (e.g. right to obtain a copy of the data, right to erasure, etc.);

10.2.2. what processing the request concerns (e.g. use of a particular service, activity on a particular website, etc.);

10.2.3. which purposes of the processing the request relates to (e.g. purposes related to the provision of services, etc.).

10.3. If the Controller is unable to identify the individual on the basis of the request made, the Controller will request additional information from the applicant. It is not compulsory to provide such data, but failure to do so will result in the request being refused.

10.4. The request may be made in person or through a proxy (e.g. a family member). For reasons of data security, the Controller encourages the use of a power of attorney in a form certified by a notary public or an authorised solicitor or barrister, which will significantly speed up the verification of the authenticity of the request.

10.5. The application should be responded to within one month of receipt. If it is necessary to extend this period, the Controller shall inform the applicant of the reasons for this action.

10.6. Where the request has been addressed to the Controller electronically, the response shall be provided in the same form, unless the requester has requested a response in another form. In other cases, the response is given in writing. Where the timing of the request makes it impossible to respond in writing and the extent of the applicant’s data processed by the Controller allows for electronic contact, the response shall be provided electronically.

11. DATA RECIPIENTS

11.1. In certain cases, insofar as it is necessary to achieve the purposes described above, Personal Data will be disclosed to external entities providing services to the Controller (e.g. IT service and tool providers, providers of ordering and calling services, analytics and marketing companies).

11.2. If the User’s consent is obtained, his or her data may also be made available to other entities for their own purposes, including marketing purposes.

11.3. The Controller reserves the right to disclose selected information concerning the User to the competent authorities or to third parties who make a request for such information on the basis of an appropriate legal basis and in accordance with the provisions of the applicable law.

12. TRANSFER OF DATA OUTSIDE THE EEA

12.1. The level of protection of Personal Data outside the European Economic Area (EEA) differs from that provided by European law. For this reason, the Controller transfers Personal Data outside the EEA only when necessary and with an adequate degree of protection, primarily by:

12.1.1. cooperating with processors of Personal Data in countries for which a relevant European Commission decision has been issued as to whether an adequate level of protection of Personal Data is ensured; in some cases, the European Commission additionally requires such processor to participate in programmes approved by it of entities outside the EEA, the participants of which are obliged to provide Personal Data with the same protection as they enjoy in the European Union (for details, see here);

12.1.2. the use of standard contractual clauses issued by the European Commission; these, together with the required additional security measures, provide Personal Data with the same protection as they enjoy in the European Union; model contracts can be found here

12.1.3. the application of binding corporate rules approved by the competent supervisory authority.

12.2. Users’ personal data is transferred outside the EEA in the following cases:

12.2.1. in connection with the use of the Google Ads tool, which makes it possible to measure the effectiveness of advertising campaigns implemented by the Controller – Users’ Personal Data is transferred to Google LLC. based in the USA; The transfer of Personal Data to the subcontractor Google LLC. based in the USA, is carried out based on the adequacy decision referred to in section 12.1.1. above, in connection with this subcontractor’s registration on the Data Privacy Framework’s list of self-certified entities. Up-to-date information about the subcontractor’s listing on this scheme is available at the following link: https://www.dataprivacyframework.gov/participant/5780

12.2.2. in connection with the use of the Facebook Pixel tool, the provider of this tool, Meta Platforms Ireland Limited, based in Ireland, which has joint controller status, transfers Personal Data to its subcontractors located in the USA. Transfers of Personal Data to these subcontractors are based on an adequacy decision as referred to in paragraph 12.1.1 above, where the subcontractor has been granted a listing as a self-certified entity under the Data Privacy Framework, or based on standard contractual clauses issued by the European Commission; you have the right to obtain accurate information about the basis for transfers to a particular subcontractor of Meta Platforms Ireland Limited, including a copy of the standard contractual clauses establishing the relevant safeguards and a summary description of the security measures in place. To do so, contact iod@carnet.pl

12.2.3. in connection with the use of the HotJar tool to analyse User activity and produce reports and statistics, Users’ Personal Data is transferred by the provider of this tool, Hotjar Ltd. based in Malta, to its subcontractors located in the USA. Transfers of Personal Data to these subcontractors are based on an adequacy decision as referred to in 12.1.1 above, where the subcontractor has obtained a listing as a self-certified entity under the Data Privacy Framework, or based on standard contractual clauses issued by the European Commission; you have the right to obtain accurate information about the basis for transfers to a specific subcontractor of Hotjar Ltd, including a copy of the standard contractual clauses establishing the relevant safeguards and a summary description of the security measures in place. To do so, contact iod@carnet.pl

13. CONTACT DETAILS

13.1. Contact with the Controller is possible via the Controller’s email address kontakt@carnet.pl or the Controller’s mailing address.

13.2. The Controller has appointed a Data Protection Supervisor, Marcin Cwener, who can be contacted by e-mail iod@carnet.pl in writing to the Controller’s registered office address on any matter concerning the processing of Personal Data.

14. CHANGES TO THE PRIVACY POLICY

14.1. The policy is kept under review and updated as necessary.

14.2. The current version of the Policy has been adopted and is effective from 29/09/2023.