Controller – Consulting and More Sp. z o.o.
Personal Data – information relating to a natural person who is identified or identifiable by one or several specific factors describing the physical, physiological, genetic, mental, economic, cultural or social identity, including IP devices, location data, an online identifier and information collected using cookie files and others similar technologies.
GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
Website – the website run by the Controller at the address www.more-ca.com.
User – any natural person visiting the Website or using one or several services or functionalities outlined in the Policy.
Data processing in connection with the use of the website
In connection with the User's use of the Website, the Controller collects data to the extent necessary to render specific services offered, as well as information about the User's Website activity. Detailed rules and purposes of processing personal data collected during the User's Website use are outlined below.
Purposes and legal basis for processing data on the website
USE OF THE WEBSITE
The personal data of all persons using the Website (including the IP address or other identifiers and information collected using cookies or other similar technologies) are processed by the Controller:
to provide services electronically in the scope of providing Users with content collected on the Website – in such a case, the legal basis for processing is the necessity of processing to perform a contract (Article 6(1)(b) GDPR);
for analytical and statistical purposes – in such a case, the legal basis for processing is the Controller's legitimate interest (Article 6(1)(f) GDPR) consisting of conducting analyses of Users' activity and preferences to improve the functionalities used and services provided;
to possibly determine and pursue claims or defend against them – the legal basis for processing is the Controller's legitimate interest (Article 6(1)(f) GDPR) consisting of the protection of its rights;
for the Controller's marketing purposes – the rules for processing personal data for marketing purposes are outlined in the "MARKETING" section.
The User's activity on the Website, including their personal data, is recorded in system logs (a special computer program used to store a chronological record containing information on events and activities related to the IT system used for the Controller's provision of services). The information collected in the logs is processed primarily for purposes related to the provision of services. The Controller also processes it for technical and administrative purposes, for the purposes of ensuring the security of the IT system and of managing this system, as well as for analytical and statistical purposes – in this respect, the legal basis for processing is the Controller's legitimate interest (Article 6(1)(f) GDPR).
The Controller may process personal data to implement marketing activities that may consist of:
displaying marketing content to the User that is not adapted to their preferences (contextual advertising);
sending e-mail notifications about interesting offers or content that in some cases contain commercial information;
other types of activities related to direct marketing of goods and services (sending commercial information electronically, and telemarketing activities).
The legal basis for data processing for the purpose of carrying out the above-mentioned marketing activities is the Controller's legitimate interest (Article 6(1)(f) GDPR) consisting of the promotion of its own brand.
The Controller processes the personal data of Users visiting the Controller's profiles kept on social media (Facebook, LinkedIn, Instagram). These data are processed only in connection with the running of profiles, including to inform Users about the Controller's activity and to promote various types of events, services and products. The legal basis for the processing of personal data by the Controller for this purpose is its legitimate interest (Article 6(1)(f) GDPR) consisting of promoting its own brand.
Cookies and similar technology
Cookies are small text files installed on the device of Users browsing the Website. Cookies collect information that facilitates the use of the website, for example, by remembering a User's visits to the Website and activities the User performed.
user input cookies, which are cookies with data entered by the User (session ID) for the duration of the session;
user interface customisation cookies, which are persistent cookies used to personalise the User interface for the duration of the session or slightly longer;
cookies used to monitor website traffic, i.e. data analytics, including Google Analytics cookies (these are files used by Google to analyse how the User uses the Website, to create statistics and reports on the Website's functioning). Google does not use the collected data to identify the User or to combine this information to enable identification. Detailed information about the scope and principles of data collection in connection with this service can be found at: https://www.google.com/intl/pl/policies/privacy/partners.
The User can configure their web browser in such a way as to prevent the installation of cookies on their terminal device. In addition, after ending a visit to the Website, the User may delete temporary files (including cookies) from their end device via the web browser settings.
Period of processing of personal data
The period of data processing by the Controller depends on the type of service rendered and the purpose of the processing. As a rule, data are processed for the duration of the service provision or order processing, until consent is withdrawn, or effective objection to the data processing is submitted in cases where the legal basis for the data processing is the Controller's legitimate interest.
The data processing period may be extended if the processing is necessary to establish and pursue any claims or to defend against them, and after this time only if and to the extent required by law. After the end of the processing period, the data are irreversibly erased or anonymised.
Rights of data subjects
Data subjects have the following rights:
the right to information about the processing of personal data – on this basis, the Controller provides information on the data processing to the person submitting the request, including primarily on the purposes and legal grounds for the processing, the scope of data held, the entities to which they are disclosed, and the planned date of erasure of the data;
the right to obtain a copy of the data – on this basis, the Controller provides a copy of the processed data related to the person submitting the request;
the right to rectification – the Controller is required to eliminate any irregularities or errors in the personal data being processed, and to supplement them if they are incomplete;
the right to erase data – on this basis, you may request the erasure of data the processing of which is no longer necessary to achieve any of the purposes for which they were collected;
the right to restriction of processing – if such a request is made, the Controller ceases to perform operations on the personal data – with the exception of operations to which the data subject has consented – and to store them, in accordance with accepted retention rules or until the reasons for the restriction of data processing cease (for example, a decision will be issued by a supervisory authority allowing further data processing);
the right to data portability – on this basis – to the extent that the data are processed in connection with a concluded contract or expressed consent – the Controller issues the data provided by the data subject in a format that can be read by a computer. It is also possible to request that these data be sent to another entity, provided, however, that there are technical possibilities in this regard both on the part of the Controller and the other entity;
the right to object to data processing for marketing purposes – the data subject may, at any time, object to the processing of personal data for marketing purposes, without the need to justify such an objection;
the right to object to other purposes of data processing – the data subject may, at any time, object to the processing of personal data that is based on the legitimate interest of the Controller (for example, for analytical or statistical purposes or for reasons related to the protection of property); an objection in this respect should include a justification;
the right to withdraw consent – if the data are processed based on expressed consent, the data subject has the right to withdraw it at any time; however, this does not affect the lawfulness of the processing carried out prior to the withdrawal of consent.
right to complain – if it is found that the processing of personal data violates the provisions of the GDPR or other provisions on personal data protection, the data subject may lodge a complaint to the President of the Personal Data Protection Office.
Requests regarding the implementation of the rights of data subjects can be lodged via the e-mail address email@example.com, via the contact form at www.more-ca.com/kontakt, or in writing to the following address: ul. Katowicka 4/9, 03-932 Warszawa, Poland.
In connection with the provision of services, personal data will be disclosed to external entities, including in particular suppliers responsible for the operation of IT systems, entities such as banks and payment operators, entities providing accounting services, couriers (in connection with the processing of orders), marketing agencies (in the field of marketing services), and entities related to the Controller, including companies from its capital group.
If the User's consent is obtained, their data may also be made available to other entities for their own purposes, including marketing purposes.
The Controller reserves the right to disclose selected information about the User to competent authorities or third parties that submit a request for such information, based on an appropriate legal basis and in accordance with applicable law.
Transfer of data outside the EEA
The level of protection of personal data outside the European Economic Area (EEA) differs from that ensured by European law. For this reason, the Controller transfers personal data outside the EEA only when necessary and ensuring an adequate level of protection, mainly through:
cooperating with entities processing personal data in countries for which an appropriate decision of the European Commission has been issued;
using standard contractual clauses issued by the European Commission;
applying binding corporate rules approved by a competent supervisory authority;
in the case of transferring data to the USA – cooperating with entities participating in the Privacy Shield programme, approved by a decision of the European Commission.
The Controller always informs about its intention to transfer personal data outside the EEA at the stage of the data being collected.
Security of personal data
The Controller conducts ongoing risk analysis in order to ensure that it processes personal data in a secure manner, ensuring, above all, that only authorised persons have access to the data and only to the extent necessary given the tasks they perform. The Controller ensures that all operations carried out on personal data are recorded and carried out only by authorised employees and associates.
The Controller takes all necessary actions so that its subcontractors and other cooperating entities also guarantee the use of appropriate security measures whenever they process personal data at the request of the Controller.
The Policy is reviewed on an ongoing basis and updated as necessary. The current version of the Policy has been adopted and is effective from 24 May 2018.