Privacy policy

Żyrardowski Rower Miejski System (ŻRM System) Privacy Policy is targeted at familiarizing users of the ŻRM System with information required by Art. 13 and 14 of GDPR with regards to the processing of their data as part of the ŻRM System.

I. DEFINITIONS

1. Data Controller – Nextbike Polska S.A. under restructuring with its seat in Warsaw at ul. Przasnyska 6b, 01- 756 Warszawa.
2. Mobile Application – mobile application available on mobile phones and portable devices, offered by the Data Controller on devices with an installed Android and iOS system.
3. Personal Data – information about a natural person identified or possible to be identified by one or more unique factors identifying physical, physiological, genetic, metal, economic, cultural or social identity, including device IP address, location data, internet identifier and information collected by means of cookie files as well as by other similar technologies.
4. Nextbike Group – companies belonging to the Nextbike Group in the meaning of Art. 4 point 14 of the Act of 16 February 2007 on protection of competition and consumers.
5. Client – any natural person, participant of the Bike System, who has accepted the Terms of Service and carried out registration in the Bike System, thus concluding Agreement with the Operator.
6. Policy – hereby Privacy Policy.
7. Terms of Service – rules defining the principles and conditions of using the Bike System, in particular, the scope of rights and obligations and the responsibility of persons who avail of the possibility of using the Bike System managed by Data Controller. Terms of Service may be found at https://zyrardowskirower.pl/en/terms/.
8. GDPR – Regulation of the European Parliament and Council (EC) 2016/679 from 27 April 2016 on protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC
9. Service – online service available at www.zyrardowskirower.pl or by means of the Mobile Application through which the Data Controller provides services to Users via electronic means, in particular, the service of bike rentals.
10. Bike System – the service of ŻRM, realized according to the principles specified in the Terms of Service.
11. Agreement – agreement between the Client and the Data Controller via the Service which establishes mutual rights and obligations specified in the hereby Terms of Service.
12. User – each natural person visiting the Service or using one or several services or functionalities specified in the Policy.
13. Trusted Partner – entity with which the Data Controller cooperates, whose marketing content is directed by the Controller to Clients and Users.

II. PROCESSING OF DATA IN RELATION TO THE USE OF THE SERVICE

1. In relation to the use of Service by Users, Data Controller gathers data in the scope necessary for the provision of individual offered services as well as data concerning User activities in the Service. Detailed principles and goals of the processing of personal data gathered in the course of using the Service by its Users have been outlined in detail below.

III. GOALS AND LEGAL BASIS FOR THE PROCESSING OF DATA IN THE SERVICE THE USE OF THE SERVICE

1. Personal data of all persons using the Service (including IP address or other identifiers and information gathered by means of cookies files or other similar technologies) who are not registered Users (that is who do not have a set-up profile in the Service) are processed by the Data Controller:
a. for the purpose of provision of service via electronic means in the scope of disclosing to Users of content gathered in the Service – in such a case the legal basis for the processing is the necessity to process data in order to execute the agreement (Art. 6 sec. 1 letter b of GDPR);
b. for analytical and statistical purposes – whereas the legal basis for the processing is the legally justified interest of the Data Controller (Art. 6 sec. 1 letter f of GDPR); consisting of the conduct of analyses of Users’ activities as well as their preferences for the purpose of improving applicable functionalities and services provided;
c. for the purpose of potential establishing and pursuing claims or defending against claims – the legal basis of the processing is a legally justified interest of the Data Controller (Art. 6 sec. 1 letter f of GDPR), constituting protection of his rights;
d. for marketing purposes of the Data Controller and other entities – the principles of processing personal data for marketing purposes have been specified in the MARKETING section.
2. User activities in the Service, including their personal data are registered in system logs (special computer software targeted at storing chronological records containing information about events and actions that concern the IT system for the provision of Data Controller’s services). Information gathered in the logs are, above all, processed for the purposes related to service provision. Data Controller processes them also for technical, administrative purposes in order to ensure safety of the IT system and managing this system as well as for analytical and statistical purposes – in this scope the legal basis of processing is a legally justified interest of the Data Controller (Art. 6 sec. 1 letter f of GDPR).

REGISTRATION IN THE ŻYRARDOWSKI ROWER MIEJSKI SYSTEM
1. Persons who conduct registration in the Bike System are asked to enter data necessary for the processing and maintaining their account which is managed by the Data Controller. Such data may be removed at any point in time. Indication of data marked as obligatory is required for the purpose of setting up and maintaining the account and their non-indication results in lack of possibility to set up the account. Entering other data is voluntary.
2. Personal data of clients are processed for the purpose of:
a. Concluding and executing the Agreement according to the principles specified in the Terms of Service of the Żyrardowski Rower Miejski with regards to natural persons acting in their own name pursuant to Art. 6 sec. 1 letter b of GDPR as processing of personal data is necessary in order to conclude and execute this Agreement according to the principles specified in the Terms of Service of the Żyrardowski Rower Miejski.
b. Realization of obligations stemming from the provisions of law applicable to the Data Controller’s activity – pursuant to Art. 6 sec. 1 letter c of GDPR, that is, fulfilment of legal obligations with which the Data Controller is burdened, including those resulting from accounting, tax provisions or other special regulations.
c. Archiving – pursuant to Art. 6 sec. 1 letter f of GDPR, that is, our legally justified interest which is the necessity to store evidence of conducted business.
d. Protection, establishing and pursuing claims – on the basis of Art. 6 sec. 1 letter f of GDPR.
e. Marketing own products and services further to sending commercial information concerning products, services, promotional offers and events – pursuant to Art. 6 sec. 1 letter f of GDPR, that is, consent of the person who is the data subject if such consent was granted.
f. Ensuring safety of assets (equipment used as part of service provision) – pursuant to Art. 6 sec. 1 letter f of GDPR, that is, justified interest of NEXTBIKE POLSKA S.A. under restructuring which is the possibility to ensure safety of offered equipment through gathering information allowing to locate the bike.
g. Conducting analyses and statistics – legal basis of processing its legally justified interest of the Data Controller (Art. 6 sec. 1 letter f of GDPR), consisting of conducting analysis of activities of Users in the Service and the manner of using the account as well as User preferences in order to improve applicable functionalities;
2. If the User places any personal data of other persons on the Service (including first name and surname, address, telephone number or email address) he may do so solely under the condition of not breaching the provisions of law and personal goods of these persons.

CONTACT FORMS
1. Data Controller ensures the possibility of contacting them with the use of electronic contact forms. The use of the form requires entering Personal Data necessary in order to establish contact with the User and grant answers to the enquiry. The User may indicate also other data in order to facilitate contact or handling enquiries. Indication of data marked as obligatory is required for the purpose of accepting and handling enquiries and their non-indication results in lack of possibility of providing a service. Entering other data is voluntary.
2. Personal data are processed:
a. Handling demands or granting replies to questions submitted by means of the contact form – pursuant to Art. 6 sec. 1 letter f of GDPR, that is, legally justified interest of the Data Controller; legally justified interest of Data Controller is enabling handling of demands and granting replies to questions asked, in particular, by person interested in obtaining the services;
b. Monitoring and improving the quality of services, including service provided for clients – pursuant to Art. 6 sec. 1 letter f of GDPR, that is legally justified interest of the Data Controller; enabling increase in the quality of services constitutes a legally justified interest of the Data Controller.

IV. SOCIAL MEDIA PORTALS

1. Data Controller processes Personal Data of Users visiting profiles of the Controller, maintained in social media – Facebook). Such data are processed solely in relation to maintaining a profile, including for the purpose of informing Users of Data Controller activities and promoting various types of events, services and products. Legal basis of personal data processing by the Data Controller for this purpose is his legally justified interest (Art. 6 sec. 1 letter f of GDPR),

V. COOKIES FILES AND THE SIMILAR TECHNOLOGY

1. Cookies files are small text files installed on User’s device browsing the Service. Cookies gather data that facilitate the use of the website – i.e. through remembering visits of the User in the Service and actions carried out by him.

“SERVICE” COOKIES
1. Data Controller uses the so-called service cookies, above all, in order to provide the User with services via electronic means and to improve the quality of such services. In this regard, Data Controller and other entities providing analytical and statistical services for him use cookies files, storing information or obtaining access to information already stored on the telecommunication end device of the User (computer, telephone, tablet etc.). Cookies files used for this purpose cover:
a. cookies files with data entered by the User (session identifier) for the duration of the session (user input cookies);
b. authentication cookies used for services that require authentication for the duration of the session;
c. user centric security cookies for ensuring safety, i.e. Used for detection of abuses in the scope of authentication;
d. multimedia player session cookies (i.e. Cookies files in flash player) for the duration of the session;
e. user interface customization cookies targeted at personalization of User interface for the duration of the session or slightly longer.

“MARKETING” COOKIES
1. Data Controller and its trusted partners also use cookies files for marketing purposes, among others, in relation to directing behavioural advertisements towards Users. For this purpose Data Controller and its trusted partners store information or obtain access to information already stored in the telecommunication User end device (computer, telephone, tablet etc.). List of trusted partners is available in Transparency Policy.

VI. ANALYTICAL AND MARKETING TOOLS APPLIED BY DATA CONTROLLER AND DATA CONTROLLER’S PARTNERS

1. Data Controller and its Partners apply various solutions and tools used for analytical and marketing purposes. Basic information concerning these tools may be found below. Detailed information in this regard may be found in the Privacy Policy of a given partner.

GOOGLE ANALYTICS
1. Google Analytics cookies files are files used by the Google company in order to analyse the manner of using the Service by the User in order to create statistics and reports concerning the Service operations. Google does not use the gathered data for identification of Users, nor does it combine these information in order to enable identification. Detailed information concerning the scope and the principles of collecting data in relation to this service may be found at: https://www.google.com/intl/pl/policies/privacy/partners.

GOOGLE ADWORDS
1. GOOGLE ADWORDS is a tool that enables measuring efficiency of advertising campaigns realized by Data Controller, allowing to analyse such data as keywords or number of unique users. The Google AdWords platform also allows to display our advertisements to persons who visited the Service in the past. Information concerning the processing of data by Google in the scope of the above service may be found at: https://policies.google.com/technologies/ads?hl=pl.

FACEBOOK PIXELS
1. Facebook pixels is a tool that enables measuring the effectiveness of advertising campaigns realized by the Data Controller on Facebook. The tool allows for an advanced analysis of data in order to optimize Data Controller’s actions also with the use of other tools offered by Facebook. Detailed information concerning data processing by Facebook may be found at: https://pl-pl.facebook.com/help/443357099140264?helpref=about_content.

SOCIAL MEDIA PLUG-INS
1. Social media plug-ins are used by the Service (Facebook, Google+, LinkedIn, Twitter). The plug-ins enable the User to place the content published in the Service on selected social media portals. Applying plug-ins in the Service causes that the given social media service obtains information about the use of the Service by the User and thus may assign them to that User’s profile created in a given social media portal. Data Controller does not possess the knowledge on the goal and scope of gathering data by social media portals. Detailed information concerning this topic may be found under the below links:
a. Facebook: https://www.facebook.com/policy.php
b. Google: https://privacy.google.com/take-control.html?categories_activeEl=sign-in
c. LinkedIn: https://www.linkedin.com/legal/privacy-policy?_l=pl_PL
d. Twitter: https://twitter.com/en/privacy

VI. MANAGING COOKIES SETTINGS

1. The use of cookies files in order to gather them by means of data, including obtaining access to data saved on the User’s device requires obtaining the User’s consent. Such consent may be withdrawn at any point in time.
2. Permission is not required solely in case of cookies files the use of which is necessary in order to provide telecommunication services (data transmission in order to display content).
3. Withdrawal of a consent for the use of cookies files is possible by means of browser settings. Detailed information concerning this topic may be found under the below links:
a. Internet Explorer: https://support.microsoft.com/pl-pl/help/17442/windows-internet-explorer-delete-manage-cookies
b. Mozilla Firefox: http://support.mozilla.org/pl/kb/ciasteczka
c. Google Chrome: http://support.google.com/chrome/bin/answer.py?hl=pl&answer=95647
d. Opera: http://help.opera.com/Windows/12.10/pl/cookies.html
e. Safari: https://support.apple.com/kb/PH5042?locale=en-GB
4. The User may at any point in time verify the status of his current privacy settings assigned to the browser they use through the tools available under the below links:
a. http://www.youronlinechoices.com/pl/twojewybory
b. http://optout.aboutads.info/?c=2&lang=EN

VIII. Period PROCESS PERSONAL DATA

1. The period of data processing by Data Controller depends on the type of service provided and the goal of processing. As a rule, data are processed throughout the duration of service provision or order realization, execution of the legal obligation or until withdrawal of expressed consent or submission of effective objection against data processing in cases when the legal basis for processing of data is the legally justified interest of the Data Controller.
2. The period of data processing may be extended in case when the processing is necessary in order to establish and pursue potential claims or in order to protect oneself against claims and after such time solely in the case and scope in which the provisions of law shall require it. After the expiry of the period of data processing, their irrevocable removal or anonymization is obligatory.

IX. USER’S ENTITLEMENTS

1. The User shall be entitled to the right to access the content of data and demand their amendment, removal, limiting their processing, right to transfer data and submit an objection towards data processing as well as the right to submit complaints to the supervisory body dealing with the protection of personal data.
2. In the scope in which User data are processed on the basis of the consent such a consent may be withdrawn at any point in time through contact with the Data Controller.
3. The User is entitled to submitting an objection against data processing for marketing purposes should such processing occur in relation to the legally justified interest of the Data Controller as well as – due to causes related to a specific situation of the User – in other cases when the legal basis for data processing is the legally justified interest of the Data Controller (i.e. in relation to the realization of analytical and statistical goals).
4. More information concerning entitlements stemming from GDPR may be found in the Transparency Policy.

X. DATA RECIPIENTS AND TRANSFER OUTSIDE OF EEA

1. The anticipated recipients of personal data include: companies providing IT support to the data controller, suppliers of electronic post services and other IT services, post operators/couriers, entities servicing electronic payments; consulting companies with which the data controller cooperates, entities supporting marketing actions of the data controller, entities authorized to obtain personal data pursuant to actions at the order of the data controller or which provide services/goods to the data controller necessary to conduct its business as well as companies from the Nextbike groups.
2. At a certain stage, the transfer of personal data to third countries (outside of EEA) may be conducted. Data Controller conducts it on the basis of standard protection clauses (Art. 46, sec. 2 GDPR) and – if this is required – applies additional guarantees of protection of personal data in accordance with the standards in place in this regard or ensures another mechanism which complies with law and legalizes such a transfer to third states.

XI. CONTACT DETAILS

1. Contact with the data controller is possible via e-mail at [email protected], contact form at www.nextbike.pl, telephone at 22 208 99 90 or by letter to the address of the Nextbike Polska S.A. under restructuring seat.
2. Data Controller appointed Data Protection Inspector with which one may contact via e-mail at [email protected] concerning any matter related to personal data processing by the data controller.

XII. CHANGES IN THE PRIVACY POLICY

1. The policy is verified on an ongoing basis and updated if necessary.
2. The current version of the Policy was adopted and is binding as at 03.04.2024.

 

---

PERSONAL DATA PROCESSING POLICY
(Previous version)

1. DEFINITIONS

1.1. Controller – Nextbike Polska S.A. with its registered office in Warsaw (01-756), ul. Przasnyska 6b.

1.2. Personal data – all information about a natural person identified or identifiable by one or more specific factors determining a physical, physiological, genetic, psychological, economic, cultural or social identity, including image, voice recording, contact details, location data, information contained in correspondence, information collected via recording equipment or other similar technology.

1.3. Policy – this personal data processing policy.

1.4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

1.5. Data subject – any natural person whose personal data is processed by the Controller, e.g. a person visiting the Controller’s premises or sending a query to the Controller in the form of an
e-mail.

2. DATA PROCESSING BY THE CONTROLLER

2.1. Due to the conducted business activity, the Controller collects and processes personal data in accordance with the appropriate regulations, especially with the GDPR, and the data processing rules included in them.

2.2. The Controller ensures transparency of data processing, particularly always informs about the processing of data at the moment of its collection, including about the purpose and legal basis for such processing – e.g. during conclusion of agreements for the sale of goods or services. The Controller makes sure that the data is collected only to the extent necessary for the indicated purpose and processed only for as long as it’s necessary.

2.3. In the course of processing data, the Controller ensures its security and confidentiality, as well as access of data subjects to their information. In the case of breach of personal data protection (e.g. “leak” of data or its loss) despite the used security measures, the Controller shall inform the data subjects about such event in a manner compliant with the regulations.

3. CONTRACT WITH THE CONTROLLER

3.1. The Controller may be contacted using the following e-mail address: [email protected], contact form at www.nextbike.pl, via telephone: 22 208 99 90 or in writing to the address of the registered office of Nextbike Polska S.A.

3.2. The Controller appointed a Data Protection Officer, who may be contacted using the following
e-mail address: [email protected] in any matter concerning the personal data processing.

4. SECURITY OF PERSONAL DATA

4.1. In order to ensure the integrity and confidentiality of data, the Controller implemented procedures that only allow authorized persons to access the personal data and only to the extent to which it’s necessary due to the tasks performed by them. The Controller uses organizational and technical solutions in order to ensure that all operations on personal data are recorded and carried out only by authorized persons.

4.2. The Controller also undertakes all necessary actions to ensure that its subcontractors and other cooperating entities provide guarantee of using appropriate security measures in every case, when they process personal data on behalf of the Controller.

4.3. The Controller conducts risk analysis on an on-going basis and monitors the adequacy of used data security measures in regard to the identified threats. If there’s such a need, the Controller shall implement additional measures aimed at increasing the data security.

5. PURPOSES AND LEGAL BASIS FOR PROCESSING

5.1. NEXTBIKE WEBSITES

5.1.1. Personal data of all persons using the Controller’s websites (www.nextbike.pl and websites of individual city bike systems operated by the Controller), including IP addresses or other identifiers, as well as information collected via cookies or other similar technologies, is processed:

a. in order to provide services electronically in the scope of making available to users the contents collected on the website – in such case the legal basis for processing is the necessity of processing in order to implement the agreement (article 6, paragraph 1(b) of the GDPR);

b. for analytical and statistical purposes – in such case the legal basis for processing is the justified interest of the Controller (article 6, paragraph 1(f) of the GDPR), consisting of conducting the analysis of users’ activity, as well as their preferences in order to improve the used functionalities and provided services;

c. in order to possibly determine and pursue claims or defend against them – in such case, the legal basis for processing is the justified interest of the Controller (article 6, paragraph 1(f) of the GDPR), consisting of the protection of its rights;

d. for marketing purposes of the Controller and other entities – rules for the processing of personal data for marketing purposes are described in the “Marketing” section below.

5.1.2. The user’s activity on the Controller’s website, including its personal data, is recorded in system logs (special computer program intended for the storing of chronological record containing information about events and activities concerning the IT system used to provide services by the Controller). Information collected in the logs is processed mainly for the purposes associated with the provision of services. The Controller also processes them for technical and administrative purposes, in order to ensure the security of the IT system, as well as management of this system, and also for analytical and statistical purposes – in this scope the legal basis for processing is the legally justified interest of the Controller (article 6, paragraph 1(f) of the GDPR).

5.1.3. Session that the user’s web browser establishes with the Controller’s servers, from the moment of logging in to logging out of the website, is protected with the use of TLS protocol. This means that all data, including personal data, is sent with the use of cryptographic protection (encryption).

5.2. MARKETING

5.2.1. The Controller processes personal data of users in order to implement marketing activities, which may consist of:

a. displaying marketing contents to the user that are not adapted to its preferences (contextual advertising);

b. displaying marketing contents to the user that correspond to its interests (behavioural advertising);

c. conducting other types of activities associated with direct marketing of goods and services (sending commercial information via electronic means and telemarketing activities).

5.2.2. The Controller may use profiling in some cases in order to implement marketing activities. This means that thanks to the automatic processing of data, the Controller evaluates the selected factors regarding natural persons, in order to analyze their behaviour or to create a forecast for the future. In such case, the legal basis for processing is the legally justified interest of the Controller (article 6, paragraph 1(f) of the GDPR).

5.3. COOKIES AND SIMILAR TECHNOLOGY

5.3.1. Cookies are small text files installed on the device of the user browsing the website. Cookies collect information that facilitates the use of the website – e.g. through memorizing the user’s visits on the website and the activities carried out by the given user. In such case, the legal basis for processing is the legally justified interest of the Controller (article 6, paragraph 1(f) of the GDPR).

5.3.2. The Controller uses cookies mainly to provide the user with services ensured via electronic means and to improve the quality of these services. Thus, the Controller and other entities providing on its behalf analytical and statistical services use cookies by storing information or getting access to information already stored in the user’s telecommunications end device (computer, telephone, tablet, etc.). Cookies used for this purpose include:

a. cookies with data entered by the user (session identifier) for the duration of the session (user input cookies);

b. authentication cookies used for services requiring authentication for the duration of the session (authentication cookies);

c. cookies used to ensure security, e.g. used to detect fraud in the scope of authentication (user centric security cookies);

d. session cookies for multimedia players (e.g. flash player cookies), for the duration of the session (multimedia player session cookies);

e. permanent cookies used to personalize the user interface for the duration of the session or a little longer (user interface customization cookies),

f. cookies used to monitor traffic on the website, i.e. data analytics, including Google Analytics cookies (these files are used by Google in order to analyse how the user uses the website, to generate statistics and reports regarding the functioning of the website). Google Analytics is also used to direct the behavioural advertising to users. Google does not use the collected data to identify the user and it does not combine this information in order to allow identification. Detailed information about the scope and rules of data collection in connection with this service may be found at:
https://www.google.com/intl/pl/policies/privacy/partners

5.4. LOCATION DATA

5.4.1. Mobile applications made available by the Controller, such as Nextbike application, Veturilo application or Citi Handlowy Bike application, as well as some of the Controller’s websites, e.g. www.veturilo.waw.pl or www.bikerbialystok.pl, may use location data of the user’s device (computer, mobile phone, tablet, etc.).

5.4.2. In particular, the Controller processes location data in order to provide the user with a map indicating the nearest Nextbike’s bike stations. The user is informed about all other purposes of location data processing in separate information clauses.

5.4.3. The legal basis for processing of such data is the user’s consent (article 6, paragraph 1(a) of the GDPR) given by providing a mobile application or web browser with access to user’s device location data.

5.5. CONTACT FORMS AVAILABLE ON THE WEBSITES

5.5.1. The Controller provides the possibility to contact it with the use of electronic contact forms, which are available on the Controller’s websites. Using the form requires providing personal data necessary to contact the user and reply to the inquiry. The user may also provide other data in order to facilitate contact or handling of the inquiry. Providing data marked as obligatory is required in order to receive and handle the inquiry, and failure to provide such data results in a lack of the possibility to handle such inquiry. Provision of other data is voluntary.

5.5.2. Personal data is processed:

a. in order to identify the sender and handle the request or answer the question sent via the contact form – the legal basis for processing is the legally justified interest of the Controller (article 6, paragraph 1(f) of the GDPR), consisting of enabling the handling of requests and answering questions asked particularly by persons interested in Controller’s services;

b. in order to monitor and improve the quality of services, including customer service – the legal basis for processing is the justified interest of the Controller (article 6, paragraph 1(f) of the GDPR), consisting of enabling the improvement of quality of services provided by the Controller.

5.6. E-MAIL AND TRADITIONAL CORRESPONDENCE

5.6.1. In the case of e-mail or traditional correspondence sent to the Controller, the personal data contained in such correspondence is processed only for the purpose of communication and resolving the matter associated with such correspondence.

5.6.2. The legal basis for processing is the justified interest of the Controller (article 6, paragraph 1(f) of the GDPR), consisting of implementation of the correspondence addressed to the Controller in connection with its business activity.

5.6.3. The Controller processes only personal data relevant to the matter associated with the given correspondence. All correspondence is stored in a manner ensuring the security of personal data (and other information) contained in it and it’s disclosed only to authorized persons.

5.7. TELEPHONE CONTACT

5.7.1. In the case of contacting the Controller via telephone, the Controller may request the provision of personal data only when it will be necessary to handle the matter associated with the given contact. In such case, the legal basis for processing is the justified interest of the Controller (article 6, paragraph 1(f) of the GDPR) consisting of allowing the service of requests and answering the questions asked by persons interested in the Controller’s services.

5.7.2. Telephone calls also may be recorded – in such case, appropriate information is provided at the beginning of the call. Calls are recorded in order to monitor the quality of provided services and to verify the work of consultants. The recordings are available only to the Controller’s employees and persons servicing the Controller’s helpline. The legal basis for processing is the justified interest of the Controller (article 6, paragraph 1(f) of the GDPR), consisting of allowing for the improvement of quality of services provided by the Controller.

5.8. SOCIAL MEDIA

5.8.1. The Controller processes personal data of the users visiting the Controller’s profiles in social media (Facebook, YouTube, Instagram, Twitter). This data is processed only in connection with running the profile, including to inform Users about the activity of the Controller and to promote various types of events, services and products. The legal basis for processing of personal data by the Controller for this purpose is its justified interest (article 6, paragraph 1(f) of the GDPR), consisting of promoting its own brand.

5.9. VIDEO MONITORING AND ACCESS CONTROL

5.9.1. In order to ensure the safety of persons and property, the Controller uses video monitoring and controls access to premises and the area under its management. Data collected in such manner is not used for any other purposes.

5.9.2. Personal data in the form of recordings from the monitoring and data collected in the register of entries and exits are processed in order to ensure security and order on the premises, and possibly in order to defend against claims or their pursuit. The legal basis for personal data processing is the justified interest of the Controller (article 6, paragraph 1(f) of the GDPR), consisting of ensuring the security of Controller’s property and protection of its rights.

5.10. RECRUITMENT

5.10.1. Within the recruitment processes, the Controller expects the transfer of personal data (e.g. in a CV or resume) only in the scope determined in provisions of the labour law. Thus, information should not be passed in a wider scope. In the case when the sent applications will contain additional data, such data won’t be used, nor taken into account in the recruitment process.

5.10.2. Personal data is processed:

a. in order to comply with obligations resulting from provisions of the law, associated with the employment process, including particularly the Labour Code – the legal basis for processing is the legal obligation of the Controller (article 6, paragraph 1(c) of the GDPR in connection with provisions of the Labour Code);

b. in order to carry out a recruitment process in the scope of data not required by provisions of the law, as well as for the purposes of future recruitment processes – the legal basis for processing is the given consent (article 6, paragraph 1(a) of the GDPR);

c. in order to determine or pursue any possible claims or to defend against such claims – the legal basis for data processing is the legally justified interest of the Controller (article 6, paragraph 1(f) of the GDPR).

5.11. COLLECTION OF DATA IN CONNECTION WITH THE PROVISION OF SERVICES OR IMPLEMENTATION OF OTHER AGREEMENTS

5.11.1. In the case of collection of data for purposes associated with the implementation of a specific agreement, also via website, the Controller provides the data subject with detailed information concerning the processing of its personal data at the moment of conclusion of the agreement.

5.12. COLLECTION OF DATA IN OTHER CASES

5.12.1. In connection with the conducted business activity, the Controller collects personal data also in other cases – e.g. during business meetings, industry events or through exchange of business cards – for purposes associated with initiating and maintaining business contacts. In this case, the legal basis for processing is the justified interest of the Controller (article 6, paragraph 1(f) of the GDPR), consisting of creating a network of contacts in connection with the conducted business activity.

5.12.2. Personal data collected in such cases is processed only for the purpose for which the given personal data was collected and the Controller ensures its appropriate protection.

6. DATA RECIPIENTS

6.1. In connection with conducting business activity requiring processing, the personal data is disclosed to external entities, including particularly suppliers responsible for the handling of IT systems and equipment (e.g. CCTV equipment, GPS location services), entities providing legal or accounting services, couriers, marketing agencies or recruitment agencies. The data may be also disclosed to selected partners of the Controller, e.g. within implementation of the promotional campaigns participated by the data subject.

6.2. The Controller reserves the right to disclose selected information regarding the data subject to competent authorities or third parties who will submit a request for providing such information based on appropriate legal basis and in accordance with the provisions of applicable law.

7. TRANSFER OF DATA OUTSIDE THE EEA

7.1. The level of personal data protection outside the European Economic Area (EEA) differs from that provided by the European law. Due to that fact, the Controller transfers personal data outside the EEA only when it’s necessary and with ensuring an adequate level of protection, mainly through:

7.1.1. cooperation with entities processing personal data in countries in regard to which an appropriate decision of the European Commission has been issued;

7.1.2. use of standard contractual clauses issued by the European Commission;

7.1.3. application of binding corporate rules approved by the competent supervisory authority;

7.1.4. in the case of data transfer to the USA – cooperation with entities participating in the Privacy Shield program, approved by the decision of the European Commission.

7.2. The Controller always informs about the intention to transfer personal data outside the EEA at the stage of its collection.

8. PERIOD OF THE PERSONAL DATA PROCESSING

8.1. The period of data processing by the Controller depends on the type of provided service and the purpose of processing. The period of data processing may also result from the regulations in the case when they constitute the basis for processing. In the case of data processing based on the justified interest of the Controller – e.g. due to security reasons – the data is processed for a period allowing for implementation of this interest or until the submission of objection in regard to data processing. If the processing is carried out on the basis of consent, the data is processed until its withdrawal. When the basis for processing is the necessity to conclude or implement the agreement, the data is processed until it is terminated.

8.2. The data processing period may be extended in the case, when the processing is necessary to establish or pursue claims or defend against claims, and after this period – only in the case and to the extent that it will be required by provisions of the law. After the expiration of processing period, the data is irreversibly deleted or anonymised.

9. RIGHTS ASSOCIATED WITH THE PERSONAL DATA PROCESSING
RIGHTS OF THE DATA SUBJECTS

9.1. The data subjects have the following rights:

9.1.1. right to information regarding the processing of personal data – on this basis, the Controller provides information regarding the processing of data to person submitting the request, including primarily about the purposes and legal basis for processing, the scope of possessed data, entities to which the data is disclosed and the planned date of deletion of such data;

9.1.2. right to obtain a copy of the data – on this basis, the Controller provides a copy of processed data concerning the person submitting the request;

9.1.3. right to correct – the Controller is obliged to remove any possible incompatibilities or errors of processed personal data and to supplement data if it is incomplete;

9.1.4. right to delete data – on this basis, it’s possible to request deletion of data, the processing of which is no longer necessary to implement any of the purposes for which such data was collected;

9.1.5. right to limit processing – in the case of submitting such a request, the Controller ceases to perform operations on personal data – except for operations agreed by the data subject – and its storage, in accordance with adopted retention rules or until the reasons for limiting data processing have ceased to exist (e.g. decision of the supervisory authority is issued allowing for further processing of data);

9.1.6. right to data transfer – on this basis – in the scope in which the data is processed in connection with the concluded agreement or given consent – the Controller issues data provided by the data subject in a format that allows its reading by the computer. It is also possible to request that data to be sent to another entity – however provided that there are technical possibilities in this scope on the part of the Controller as well as on the part of such other entity;

9.1.7. right to object to the data processing for marketing purposes – at any time, the data subject may object to the processing of personal data for marketing purposes, without the need to justify such objection;

9.1.8. right to object to other purposes of data processing – at any time, the data subject may object to the processing of personal data, which is carried out on the basis of the justified interest of the Controller (e.g. for analytical or statistical purposes or for reasons associated with the protection of property); the objection in this scope should include a justification;

9.1.9. right to withdraw consent – if the data is processed on the basis of given consent, the data subject has the right to withdraw it at any time, however such withdrawal does not affect the legality of processing carried out prior to the withdrawal of consent.

9.1.10. right to lodge a complaint – if it’s found that the processing of personal data violates provisions of the GDPR or other provisions regarding the protection of personal data, the data subject may lodge a complaint to the President of the Personal Data Protection Office.

9.2. SUBMISSION OF REQUESTS RELATED TO EXERCISE OF THE RIGHTS

9.2.1. Application regarding exercise of the rights of the data subjects may be submitted:

a. in written form to the following address: ul. Przasnyska 6b, 01-756 Warszawa;

b. via e-mail to the following address: [email protected]

9.2.2. If the Controller won’t be able to identify the person submitting the application on the basis of submitted application, the Controller will ask the applicant for additional information.

9.2.3. The application may be submitted in person or through a proxy (e.g. a family member). Due to the security of data, the Controller encourages the use of power of attorney in a form certified by a notary or authorized legal counsel or attorney, which will significantly accelerate the verification of application’s authenticity.

9.2.4. Reply to the application should be given within one month from its receipt. If it is necessary to extend this deadline, the Controller informs the applicant about the reasons for the delay.

9.2.5. Reply is provided via traditional mail, unless the application was submitted via e-mail or a reply in electronic form was requested.

9.2.6. The data subject may also correct or update its personal data by himself/herself, as well as withdraw his/her previously given consents to the processing of personal data and to the provision of marketing information, with the use of Controller’s websites. In order to do this, it’s necessary to log in to the website (e.g. www.nextbike.pl), go to the “User settings” tab and make appropriate changes.

9.3. RULES FOR CHARGING THE FEES

9.3.1. Procedure concerning the submitted applications is free. Fees can only be charged in the case of:

a. submitting the request to issue the second and each subsequent copy of data (the first copy of data is free); in such case, the Controller may request the payment of a fee amounting to 30 PLN.
The above-mentioned fee includes administrative costs associated with the implementation of the request.

b. submitting excessive requests (e.g. extremely frequent) by the same person or evidently unjustified requests; in such case, the Controller may request a fee in the amount of 100 PLN.
The above-mentioned fee includes the costs of communication and the costs associated with undertaking the requested actions.

9.3.2. In the case of contesting the decision regarding imposition of a fee, the data subject may lodge a complaint to the President of the Personal Data Protection Office.

10. MODIFICATIONS OF THE PERSONAL DATA PROCESSING POLICY

This policy is verified on an ongoing basis and it is updated if such a need occurs. The current version of this Policy was adopted on 23 May 2018.