Chełmski Rower System (ChR System) Privacy Policy is targeted at familiarizing users of the ChR System with information required by Art. 13 and 14 of GDPR with regards to the processing of their data as part of the ChR System.
I. DEFINITIONS
1. Data Controller – Nextbike Polska S.A. under restructuring with its seat in Warsaw at ul. Przasnyska 6b, 01- 756 Warszawa.
2. Mobile Application – mobile application available on mobile phones and portable devices, offered by the Data Controller on devices with an installed Android and iOS system.
3. Personal Data – information about a natural person identified or possible to be identified by one or more unique factors identifying physical, physiological, genetic, metal, economic, cultural or social identity, including device IP address, location data, internet identifier and information collected by means of cookie files as well as by other similar technologies.
4. Nextbike Group – companies belonging to the Nextbike Group in the meaning of Art. 4 point 14 of the Act of 16 February 2007 on protection of competition and consumers.
5. Client – any natural person, participant of the Bike System, who has accepted the Terms of Service and carried out registration in the Bike System, thus concluding Agreement with the Operator.
6. Policy – hereby Privacy Policy.
7. Terms of Service – rules defining the principles and conditions of using the Bike System, in particular, the scope of rights and obligations and the responsibility of persons who avail of the possibility of using the Bike System managed by Data Controller. Terms of Service may be found at https://chelmskirower.pl/regulamin-systemu-chelmski-rower/
8. GDPR – Regulation of the European Parliament and Council (EC) 2016/679 from 27 April 2016 on protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC
9. Service – online service available at www.chelmskirower.pl or by means of the Mobile Application through which the Data Controller provides services to Users via electronic means, in particular, the service of bike rentals.
10. Bike System – the service of ChR, realized according to the principles specified in the Terms of Service.
11. Agreement – agreement between the Client and the Data Controller via the Service which establishes mutual rights and obligations specified in the hereby Terms of Service.
12. User – each natural person visiting the Service or using one or several services or functionalities specified in the Policy.
13. Trusted Partner – entity with which the Data Controller cooperates, whose marketing content is directed by the Controller to Clients and Users.
II. PROCESSING OF DATA IN RELATION TO THE USE OF THE SERVICE
1. In relation to the use of Service by Users, Data Controller gathers data in the scope necessary for the provision of individual offered services as well as data concerning User activities in the Service. Detailed principles and goals of the processing of personal data gathered in the course of using the Service by its Users have been outlined in detail below.
III. GOALS AND LEGAL BASIS FOR THE PROCESSING OF DATA IN THE SERVICE THE USE OF THE SERVICE
1. Personal data of all persons using the Service (including IP address or other identifiers and information gathered by means of cookies files or other similar technologies) who are not registered Users (that is who do not have a set-up profile in the Service) are processed by the Data Controller:
a. for the purpose of provision of service via electronic means in the scope of disclosing to Users of content gathered in the Service – in such a case the legal basis for the processing is the necessity to process data in order to execute the agreement (Art. 6 sec. 1 letter b of GDPR);
b. for analytical and statistical purposes – whereas the legal basis for the processing is the legally justified interest of the Data Controller (Art. 6 sec. 1 letter f of GDPR); consisting of the conduct of analyses of Users’ activities as well as their preferences for the purpose of improving applicable functionalities and services provided;
c. for the purpose of potential establishing and pursuing claims or defending against claims – the legal basis of the processing is a legally justified interest of the Data Controller (Art. 6 sec. 1 letter f of GDPR), constituting protection of his rights;
d. for marketing purposes of the Data Controller and other entities – the principles of processing personal data for marketing purposes have been specified in the MARKETING section.
2. User activities in the Service, including their personal data are registered in system logs (special computer software targeted at storing chronological records containing information about events and actions that concern the IT system for the provision of Data Controller’s services). Information gathered in the logs are, above all, processed for the purposes related to service provision. Data Controller processes them also for technical, administrative purposes in order to ensure safety of the IT system and managing this system as well as for analytical and statistical purposes – in this scope the legal basis of processing is a legally justified interest of the Data Controller (Art. 6 sec. 1 letter f of GDPR).
REGISTRATION IN THE CHEŁMSKI ROWER SYSTEM
1. Persons who conduct registration in the Bike System are asked to enter data necessary for the processing and maintaining their account which is managed by the Data Controller. Such data may be removed at any point in time. Indication of data marked as obligatory is required for the purpose of setting up and maintaining the account and their non-indication results in lack of possibility to set up the account. Entering other data is voluntary.
2. Personal data of clients are processed for the purpose of:
a. Concluding and executing the Agreement according to the principles specified in the Terms of Service of the Chełmski Rower with regards to natural persons acting in their own name pursuant to Art. 6 sec. 1 letter b of GDPR as processing of personal data is necessary in order to conclude and execute this Agreement according to the principles specified in the Terms of Service of the Chełmski Rower.
b. Realization of obligations stemming from the provisions of law applicable to the Data Controller’s activity – pursuant to Art. 6 sec. 1 letter c of GDPR, that is, fulfilment of legal obligations with which the Data Controller is burdened, including those resulting from accounting, tax provisions or other special regulations.
c. Archiving – pursuant to Art. 6 sec. 1 letter f of GDPR, that is, our legally justified interest which is the necessity to store evidence of conducted business.
d. Protection, establishing and pursuing claims – on the basis of Art. 6 sec. 1 letter f of GDPR.
e. Marketing own products and services further to sending commercial information concerning products, services, promotional offers and events – pursuant to Art. 6 sec. 1 letter f of GDPR, that is, consent of the person who is the data subject if such consent was granted.
f. Ensuring safety of assets (equipment used as part of service provision) – pursuant to Art. 6 sec. 1 letter f of GDPR, that is, justified interest of NEXTBIKE POLSKA S.A. under restructuring which is the possibility to ensure safety of offered equipment through gathering information allowing to locate the bike.
g. Conducting analyses and statistics – legal basis of processing its legally justified interest of the Data Controller (Art. 6 sec. 1 letter f of GDPR), consisting of conducting analysis of activities of Users in the Service and the manner of using the account as well as User preferences in order to improve applicable functionalities;
2. If the User places any personal data of other persons on the Service (including first name and surname, address, telephone number or email address) he may do so solely under the condition of not breaching the provisions of law and personal goods of these persons.
CONTACT FORMS
1. Data Controller ensures the possibility of contacting them with the use of electronic contact forms. The use of the form requires entering Personal Data necessary in order to establish contact with the User and grant answers to the enquiry. The User may indicate also other data in order to facilitate contact or handling enquiries. Indication of data marked as obligatory is required for the purpose of accepting and handling enquiries and their non-indication results in lack of possibility of providing a service. Entering other data is voluntary.
2. Personal data are processed:
a. Handling demands or granting replies to questions submitted by means of the contact form – pursuant to Art. 6 sec. 1 letter f of GDPR, that is, legally justified interest of the Data Controller; legally justified interest of Data Controller is enabling handling of demands and granting replies to questions asked, in particular, by person interested in obtaining the services;
b. Monitoring and improving the quality of services, including service provided for clients – pursuant to Art. 6 sec. 1 letter f of GDPR, that is legally justified interest of the Data Controller; enabling increase in the quality of services constitutes a legally justified interest of the Data Controller.
IV. SOCIAL MEDIA PORTALS
1. Data Controller processes Personal Data of Users visiting profiles of the Controller, maintained in social media – Facebook). Such data are processed solely in relation to maintaining a profile, including for the purpose of informing Users of Data Controller activities and promoting various types of events, services and products. Legal basis of personal data processing by the Data Controller for this purpose is his legally justified interest (Art. 6 sec. 1 letter f of GDPR),
V. COOKIES FILES AND THE SIMILAR TECHNOLOGY
1. Cookies files are small text files installed on User’s device browsing the Service. Cookies gather data that facilitate the use of the website – i.e. through remembering visits of the User in the Service and actions carried out by him.
“SERVICE” COOKIES
1. Data Controller uses the so-called service cookies, above all, in order to provide the User with services via electronic means and to improve the quality of such services. In this regard, Data Controller and other entities providing analytical and statistical services for him use cookies files, storing information or obtaining access to information already stored on the telecommunication end device of the User (computer, telephone, tablet etc.). Cookies files used for this purpose cover:
a. cookies files with data entered by the User (session identifier) for the duration of the session (user input cookies);
b. authentication cookies used for services that require authentication for the duration of the session;
c. user centric security cookies for ensuring safety, i.e. Used for detection of abuses in the scope of authentication;
d. multimedia player session cookies (i.e. Cookies files in flash player) for the duration of the session;
e. user interface customization cookies targeted at personalization of User interface for the duration of the session or slightly longer.
“MARKETING” COOKIES
1. Data Controller and its trusted partners also use cookies files for marketing purposes, among others, in relation to directing behavioural advertisements towards Users. For this purpose Data Controller and its trusted partners store information or obtain access to information already stored in the telecommunication User end device (computer, telephone, tablet etc.). List of trusted partners is available in Transparency Policy.
VI. ANALYTICAL AND MARKETING TOOLS APPLIED BY DATA CONTROLLER AND DATA CONTROLLER’S PARTNERS
1. Data Controller and its Partners apply various solutions and tools used for analytical and marketing purposes. Basic information concerning these tools may be found below. Detailed information in this regard may be found in the Privacy Policy of a given partner.
GOOGLE ANALYTICS
1. Google Analytics cookies files are files used by the Google company in order to analyse the manner of using the Service by the User in order to create statistics and reports concerning the Service operations. Google does not use the gathered data for identification of Users, nor does it combine these information in order to enable identification. Detailed information concerning the scope and the principles of collecting data in relation to this service may be found at: https://www.google.com/intl/pl/policies/privacy/partners.
GOOGLE ADWORDS
1. GOOGLE ADWORDS is a tool that enables measuring efficiency of advertising campaigns realized by Data Controller, allowing to analyse such data as keywords or number of unique users. The Google AdWords platform also allows to display our advertisements to persons who visited the Service in the past. Information concerning the processing of data by Google in the scope of the above service may be found at: https://policies.google.com/technologies/ads?hl=pl.
FACEBOOK PIXELS
1. Facebook pixels is a tool that enables measuring the effectiveness of advertising campaigns realized by the Data Controller on Facebook. The tool allows for an advanced analysis of data in order to optimize Data Controller’s actions also with the use of other tools offered by Facebook. Detailed information concerning data processing by Facebook may be found at: https://pl-pl.facebook.com/help/443357099140264?helpref=about_content.
SOCIAL MEDIA PLUG-INS
1. Social media plug-ins are used by the Service (Facebook, Google+, LinkedIn, Twitter). The plug-ins enable the User to place the content published in the Service on selected social media portals. Applying plug-ins in the Service causes that the given social media service obtains information about the use of the Service by the User and thus may assign them to that User’s profile created in a given social media portal. Data Controller does not possess the knowledge on the goal and scope of gathering data by social media portals. Detailed information concerning this topic may be found under the below links:
a. Facebook: https://www.facebook.com/policy.php
b. Google: https://privacy.google.com/take-control.html?categories_activeEl=sign-in
c. LinkedIn: https://www.linkedin.com/legal/privacy-policy?_l=pl_PL
d. Twitter: https://twitter.com/en/privacy
VI. MANAGING COOKIES SETTINGS
1. The use of cookies files in order to gather them by means of data, including obtaining access to data saved on the User’s device requires obtaining the User’s consent. Such consent may be withdrawn at any point in time.
2. Permission is not required solely in case of cookies files the use of which is necessary in order to provide telecommunication services (data transmission in order to display content).
3. Withdrawal of a consent for the use of cookies files is possible by means of browser settings. Detailed information concerning this topic may be found under the below links:
a. Internet Explorer: https://support.microsoft.com/pl-pl/help/17442/windows-internet-explorer-delete-manage-cookies
b. Mozilla Firefox: http://support.mozilla.org/pl/kb/ciasteczka
c. Google Chrome: http://support.google.com/chrome/bin/answer.py?hl=pl&answer=95647
d. Opera: http://help.opera.com/Windows/12.10/pl/cookies.html
e. Safari: https://support.apple.com/kb/PH5042?locale=en-GB
4. The User may at any point in time verify the status of his current privacy settings assigned to the browser they use through the tools available under the below links:
a. http://www.youronlinechoices.com/pl/twojewybory
b. http://optout.aboutads.info/?c=2&lang=EN
VIII. Period PROCESS PERSONAL DATA
1. The period of data processing by Data Controller depends on the type of service provided and the goal of processing. As a rule, data are processed throughout the duration of service provision or order realization, execution of the legal obligation or until withdrawal of expressed consent or submission of effective objection against data processing in cases when the legal basis for processing of data is the legally justified interest of the Data Controller.
2. The period of data processing may be extended in case when the processing is necessary in order to establish and pursue potential claims or in order to protect oneself against claims and after such time solely in the case and scope in which the provisions of law shall require it. After the expiry of the period of data processing, their irrevocable removal or anonymization is obligatory.
IX. USER’S ENTITLEMENTS
1. The User shall be entitled to the right to access the content of data and demand their amendment, removal, limiting their processing, right to transfer data and submit an objection towards data processing as well as the right to submit complaints to the supervisory body dealing with the protection of personal data.
2. In the scope in which User data are processed on the basis of the consent such a consent may be withdrawn at any point in time through contact with the Data Controller.
3. The User is entitled to submitting an objection against data processing for marketing purposes should such processing occur in relation to the legally justified interest of the Data Controller as well as – due to causes related to a specific situation of the User – in other cases when the legal basis for data processing is the legally justified interest of the Data Controller (i.e. in relation to the realization of analytical and statistical goals).
4. More information concerning entitlements stemming from GDPR may be found in the Transparency Policy.
X. DATA RECIPIENTS AND TRANSFER OUTSIDE OF EEA
1. The anticipated recipients of personal data include: companies providing IT support to the data controller, suppliers of electronic post services and other IT services, post operators/couriers, entities servicing electronic payments; consulting companies with which the data controller cooperates, entities supporting marketing actions of the data controller, entities authorized to obtain personal data pursuant to actions at the order of the data controller or which provide services/goods to the data controller necessary to conduct its business as well as companies from the Nextbike groups.
2. At a certain stage, the transfer of personal data to third countries (outside of EEA) may be conducted. Data Controller conducts it on the basis of standard protection clauses (Art. 46, sec. 2 GDPR) and – if this is required – applies additional guarantees of protection of personal data in accordance with the standards in place in this regard or ensures another mechanism which complies with law and legalizes such a transfer to third states.
XI. CONTACT DETAILS
1. Contact with the data controller is possible via e-mail at [email protected], contact form at www.nextbike.pl, telephone at 22 208 99 90 or by letter to the address of the Nextbike Polska S.A. under restructuring seat.
2. Data Controller appointed Data Protection Inspector with which one may contact via e-mail at [email protected] concerning any matter related to personal data processing by the data controller.
XII. CHANGES IN THE PRIVACY POLICY
1. The policy is verified on an ongoing basis and updated if necessary.
2. The current version of the Policy was adopted and is binding as at 01.07.2023.