DATA PROCESSING PRINCIPLES
PRIVACY POLICY OF THE CAR ELECTRONICS WORKSHOP BELONGING TO PHU DAWID KREPS
1. INTRODUCTION
The purpose of introducing the Privacy Policy is to properly inform you about matters related to the processing of personal data, especially in view of the content of new regulations on the protection of personal data, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”). In this document, we provide information on the legal basis for the processing of personal data, the methods of collecting and using them, as well as the rights of data subjects related to them.
2. PERSONAL DATA AND THEIR PROCESSING
Personal data means information about an identified or identifiable natural person.
Personal data processing is any action on personal data, regardless of whether it is performed in an automated manner or not, e.g. collecting, storing, recording, organizing, modifying, viewing, using, sharing, limiting, deleting or destroying.
The RENOtech Workshop belonging to PHU Dawid Kreps, ul. Sokołów 2/II/7, 41-943 Piekary Śląskie with its registered office in Tychy, at ul. Stefana Grota-Roweckiego 35/22, 43-100 Tychy NIP 4980185564, hereinafter referred to as the “Workshop”, processes personal data for various purposes, and depending on the purpose, different methods of collection, legal grounds for processing, use, disclosure and storage periods may apply.
The Workshop ensures that data processing is minimized in terms of:
a) the adequacy of data for purposes (quantity of data and scope of processing) – by periodically verifying the scope of data obtained and the scope of their processing,
b) access to data – by applying legal, physical and logical mechanisms that secure access restrictions, each time updating the personnel authorized to process data,
c) the duration of data storage – by verifying the life cycle of personal data, legal requirements for storing specific categories of data and, as a consequence, making decisions on deleting data or properly archiving it.
3. APPLICATION OF PRIVACY POLICY
This document applies to all cases in which the Workshop is the controller of personal data and processes personal data.
The application of this document applies to both cases in which the Workshop processes personal data obtained directly from the data subject and cases in which personal data were obtained from other sources.
In fulfilling the information obligations specified in Art. 13 and Art. 14 of the GDPR in accordance with these provisions, we indicate the full details of the Workshop as the controller of personal data:
a) Workshop, email address: kontakt@renotech.pro, tel.: 793070887,
b) The person responsible for the protection of personal data is the owner – Dawid Kreps.
4. LEGAL BASIS FOR DATA PROCESSING
When collecting, using, sharing and otherwise processing information/data about the user for the purposes described in this policy, the Workshop operates on the basis of the following legal principles:
a) Processing is carried out out of the need to comply with concluded agreements, framework agreements, agreements in all forms permitted by law and to the extent necessary to provide the Workshop services,
b) Processing is carried out on the basis of the user’s consent to processing, which may be revoked at any time,
c) Processing is carried out out of the need for the Workshop to fulfill a legal obligation, execute a court order or pursue or defend against legal claims,
d) Processing is carried out in connection with the needs, the need to protect the vital interests of the data subject or other persons
e) Processing is carried out, if necessary, for the protection of the public interest.
f) Processing is carried out, if necessary, to protect the legitimate interests of the Workshop or third parties.
By indicating in the documents one of the above general bases for processing, the Workshop specifies the basis in a precise and legible manner, when necessary, indicating, as appropriate, the scope, specific provision, agreement, administrative agreement, categories of events in which vital interests materialize, indicating a specific purpose.
5. DATA PROTECTION SYSTEM
The personal data protection system in the Enterprise consists of the following elements:
Data inventory The Workshop identifies personal data resources, data classes, relationships between data resources, and identifies ways of using data, including:
a) cases of processing special categories of data and criminal data;
b) cases of processing data of persons whom the Workshop does not identify
c) cases of processing children’s data;
d) profiling;
e) joint data administration.
Legal basis The Workshop ensures, identifies, and verifies the legal basis for data processing, including:
a) maintains a system for managing consents to data processing and remote communication,
b) inventories and details the justification for cases when the Workshop processes data based on the legitimate interest of the Enterprise. Handling of individual rights The Workshop fulfils information obligations towards persons whose data it processes and ensures the handling of their rights, implementing requests received in this respect, including:
a) information obligations The Workshop provides persons with information required by law when collecting data and in other situations and organises and ensures the documentation of the implementation of these obligations;
b) possibility of fulfilling requests The Workshop verifies and ensures the possibility of effectively fulfilling each type of request by itself and its processors;
c) handling requests The Workshop ensures appropriate expenditures and procedures so that the requests of persons are fulfilled on time and in the manner required by the GDPR and documented;
d) notification of breaches The Workshop applies procedures allowing to determine the need to notify persons affected by an identified breach of data protection.
Minimisation The Workshop has principles and methods of managing minimisation (privacy by default), including:
a) principles of data adequacy management;
b) principles of rationing and managing access to data;
Security The Workshop ensures an appropriate level of data security, including:
a) conducts risk analyses for data processing activities or their categories
b) conducts impact assessments for data protection where the risk of violating the rights and freedoms of persons is high;
c) adapts data protection measures to the identified risk;
d) has an information security management system;
e) applies procedures that allow for the identification, assessment and reporting of identified data protection breaches to the Office for Data Protection – manages incidents,
The Processor Workshop has rules for the selection of data processors for the Enterprise, requirements for processing conditions (entrustment agreement), rules for verifying the performance of entrustment agreements.
Data export The Workshop does not transfer data to third countries (i.e. outside the EU, Norway, Liechtenstein, Iceland) or to international organizations and ensures lawful conditions for such transfer, if it takes place.
6. TYPES OF PROCESSED DATA
The Workshop processes in particular such personal data, which are not special data, as, among others:
a) first name and last name;
b) other identification data: gender, PESEL number, date of birth, correspondence address, residence address, e-mail, home/mobile phone number;
c) data on the customer’s location (location);
d) Internet identifier (IP address);
e) financial data (bank account number, credit history)
f) education;
g) profession and work;
h) tax identification number (NIP);
i) REGON number;
j) number and series of ID card/passport, date of issue of ID card/passport, expiry date of ID card/passport;
k) other data necessary for the Workshop to offer products or services. In certain situations, the Workshop processes special data revealing racial or ethnic origin, political opinions, religious or ideological beliefs, trade union membership and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person or data concerning the health, sexuality or sexual orientation of that person.
The processing of data referred to in paragraph 2 by the Workshop is only possible if:
a) the data subject has given express consent to the processing of such personal data for one or more specific purposes, unless Union or Member State law provides that the data subject cannot waive the prohibition on processing such data
b) processing is necessary for the performance of the obligations and exercise of specific rights by the controller or the data subject in the field of labor law, social security and social protection, insofar as this is permitted by Union or Member State law, or by a collective agreement under Member State law providing appropriate safeguards for the fundamental rights and interests of the data subject; c) processing is necessary to protect the vital interests of the data subject or another natural person, and the data subject is physically or legally incapable of giving consent;
d) processing is carried out within the framework of legitimate activities carried out with appropriate safeguards by a foundation, association or other non-profit entity with political, ideological, religious or trade union objectives, provided that the processing concerns only members or former members of that entity or persons maintaining regular contact with it in connection with its objectives and that the personal data are not disclosed outside that entity without the consent of the data subjects;
e) processing concerns personal data manifestly made public by the data subject;
f) processing is necessary for the establishment, exercise or defence of legal claims or in the administration of justice by the courts;
g) processing is necessary for reasons of important public interest, based on Union or Member State law, which are proportionate to the objective pursued, do not affect the essence of the right to data protection and provide for appropriate and specific measures to protect the fundamental rights and interests of the data subject;
(h) processing is necessary for the purposes of preventive or occupational health care, for the assessment of the employee’s fitness for work, for medical diagnosis, for the provision of health care or social security, for treatment or for the management of health care or social security systems and services based on Union or Member State law or in accordance with a contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
(i) processing is necessary for reasons of public interest in the area of public health, such as protection against serious cross-border threats to health or ensuring high standards of quality and safety of health care and medicinal products or medical devices, based on Union or Member State law which provides for appropriate, specific measures to safeguard the rights and freedoms of data subjects, in particular professional secrecy; (j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes based on Union or Member State law, which are proportionate to the aim pursued, respect the essence of the right to data protection and provide for appropriate, specific measures to safeguard the fundamental rights and interests of the data subject. The processing of data of minors under the age of 16 shall only take place with the consent of the person exercising parental authority or guardianship over the minor.
7. METHODS OF OBTAINING DATA
The Workshop processes data provided by data subjects within forms, agreements, emails, applications or letters and any documents submitted in paper or electronic form, as well as data provided to the Workshop by other data administrators or which the Workshop obtained from publicly available, public databases.
8. AUTOMATED DECISION-MAKING AND PROFILING
Profiling means any form of automated processing of personal data that involves the use of personal data to assess certain personal factors of a natural person, in particular to analyse or forecast aspects concerning the performance of that natural person’s work, their economic situation, health, personal preferences, interests, credibility, behaviour, location or movements
The Workshop uses profiling only for the reason, purpose and necessity to ensure
a) compliance with concluded agreements, framework agreements, arrangements in all forms permitted by law and to the extent necessary to provide the Workshop’s services,
b) based on the user’s consent to processing, which may be revoked at any time,
c) fulfilment by the Workshop of a legal obligation, execution of a court order or investigation or defence against legal claims,
d) in connection with the needs, necessity to protect the vital interests of the data subject or other persons,
e) to the extent necessary, for the protection of the public interest,
f) to the extent necessary, to protect the legitimate interests of the Workshop or third parties.
9. JOINT CONTROL
The Workshop identifies cases of joint control of data and acts in this respect in accordance with the principles adopted in this document for data control.
10. COOKIES AND ACCESS LOGS ON WEBSITES
To a limited extent, the Workshop may collect and use information about their users to the necessary minimum, required to provide them with services at the desired level, in accordance with art. 18 of the Act of 18 July 2002 on the provision of services by electronic means.
To a limited extent, the Workshop may collect personal data automatically via cookies located on websites operated by the Workshop.
Cookies are small text files saved on the user’s computer or other mobile device when they use websites. These files are used, among other things, to use various functions provided on a given website or to confirm that a given user has seen specific content from a given website.
Categories of cookies:
– necessary for the operation of the service, used for:
a) maintaining the user’s session;
b) saving the user’s session state;
c) enabling authorization in the login service;
d) saving information allowing the user to log in anonymously;
e) monitoring the availability of services. – facilitating the use of the service:
a) restoring the last visited view at the next login;
b) remembering the user’s choice to stop displaying a selected message or display it a specified number of times;
c) restoring the user’s session
d) remembering the last selected category on the service;
e) checking whether the cookie entry is functioning correctly;
f) enabling automatic logging into the product (“remember me” option);
g) matching the content of products to user preferences;
h) setting the preferred language, currency, font size and other such features facilitating work with the services;
i) restoring the last search result in the product;
j) displaying recently viewed products in the online store;
k) displaying the last selected sorting parameter
– used by third parties for the following purposes:
a) monitoring traffic on WWW pages;
b) collecting anonymous, aggregate statistics, determining the number of anonymous users of our WWW pages;
c) needed to analyze the use of the services;
d) controlling how often selected content is shown to users;
e) monitoring how often users choose a given service;
f) monitoring newsletter subscriptions;
g) using a personalized recommendation system for e-commerce;
h) using a communication tool;
i) integration with a social networking site;
j) online payments.
The entities referred to in letter c) of the preceding paragraph are, as of the date of entry into force of the Privacy Policy:
Google Analytics (more information and a browser add-on blocking Google Analytics: tools.google.com);
Facebook (more information on the website: www.facebook.com)
The Workshop also informs that some elements of the services are operated by external advertisers who place behavioral ads on websites. Content from external suppliers may contain cookies from other entities, therefore it is recommended that the user familiarizes themselves with the principles of using these cookies to operate websites by these external suppliers.
The Workshop informs that it collects information regarding the use of the Services by its users and their IP addresses based on the analysis of access logs. This information is used to diagnose problems related to the operation of the server, to analyze possible security breaches and to manage the website. The IP address is also used for statistical purposes, i.e. to collect and analyze demographic data of people visiting the website (e.g. information about the region from which the connection was made). Based on the information obtained in the manner specified above, in special cases, collective, general statistical summaries are prepared and disclosed to third parties cooperating with the Workshop. They usually include information on the website’s viewership. However, these summaries do not contain, as we emphasize, any data allowing for the identification (determination of the identity) of a given user of the Service. The Workshop informs that it may be required to disclose information regarding the IP number of a given user of the Service at the request of state authorities authorized to do so – based on applicable legal regulations – in connection with proceedings conducted by them.
11. SECURITY
The Workshop ensures a level of security that corresponds to the risk of violating the rights and freedoms of natural persons as a result of the processing of personal data by the Workshop and documents analyses of the adequacy of personal data security measures. For this purpose:
a) The Workshop ensures an appropriate state of knowledge on information security, cybersecurity and business continuity – internally or with the support of specialized entities,
b) The Workshop categorizes data and processing activities in terms of the risk they present,
c) The Workshop conducts analyses of the risk of violating the rights or freedoms of natural persons for data processing activities or their categories. The Workshop analyzes possible situations and scenarios of a breach of personal data protection, taking into account the nature, scope, context and purposes of processing, the risk of violating the rights or freedoms of natural persons with varying probability of occurrence and threat severity,
d) The Workshop determines possible organizational and technical security measures and assesses the cost of their implementation. In this, the Workshop determines the suitability and applies such measures and approaches as:
– pseudonymisation,
– encryption of personal data,
– other cybersecurity measures that make up the ability to continuously ensure the confidentiality, integrity, availability and resilience of processing systems and services,
– measures to ensure business continuity and prevent the effects of disasters, i.e. the ability to quickly restore the availability of personal data and access to them in the event of a physical or technical incident.
The Workshop assesses the effects of planned processing operations on the protection of personal data where, according to the risk analysis, the risk of violating the rights and freedoms of persons is high.
The Workshop applies the impact assessment methodology adopted in The Workshop applies security measures established as part of the risk analyses and adequacy of security measures and data protection impact assessments.
12. RIGHT OF ACCESS TO PERSONAL DATA
Individuals have the right to access the data that the Workshop stores as the data administrator.
This right can be exercised by sending an e-mail request to kontakt@renotech.pro
The Workshop will provide personal data to which an individual requests access in a way that allows them to become familiar with them.
13. RIGHT TO WITHDRAW CONSENT
In the case of processing personal data based on consent, individuals have the right to withdraw this consent at any time.
The Workshop informs about this almost at any time of collecting consents and enables withdrawal of consent in at least as easy a way as the consent was granted.
In the absence of any other information, the implementation of this right may take place by sending an e-mail with a request to the address kontakt@renotech.pro.
14. RIGHT TO LIMIT PROCESSING OR OBJECTION TO THE PROCESSING OF PERSONAL DATA
Individuals have the right to limit the processing or object to the processing of their personal data at any time, due to their special situation, unless processing is required by law.
A natural person has the right to object to the processing of their personal data when:
a) the processing of their personal data by the Workshop is based on a legitimate interest or for statistical purposes, and the objection is justified by the special situation in which they find themselves,
b) personal data are processed for the purposes of direct marketing, including profiling for this purpose.
Individuals whose data is being processed have the right to request that the controller restrict the processing in the following cases:
a) the data subject questions the accuracy of the personal data – for a period allowing the controller to check the accuracy of this data;
b) the processing is unlawful, and the data subject objects to the deletion of the personal data, requesting instead the restriction of their use; c) the controller no longer needs the personal data for the purposes of processing, but the data subject needs them to establish, pursue or defend legal claims;
d) the data subject has objected to the processing – until it is determined whether the legitimate grounds on the part of the controller override the grounds for objection of the data subject.
15. RIGHT TO REQUEST DELETION OF DATA AND RIGHT TO TRANSFER DATA
Requests arising from the rights described in this paragraph are fulfilled by submitting a declaration of exercising any of them by e-mail to the address kontakt@renotech.pro
At the request of a person, the Workshop deletes data when:
a) the data is not necessary for the purposes for which it was collected, nor processed for other lawful purposes,
b) the consent to its processing has been withdrawn, and there is no other legal basis for processing,
c) the person has filed an effective objection to the processing of this data,
d) the data was processed unlawfully,
e) the need to delete results from a legal obligation,
f) the request concerns the child’s data collected on the basis of consent for the purpose of providing information society services offered directly to the child, unless their processing is necessary:
– to exercise the right to freedom of expression and information; – to comply with a legal obligation requiring processing under Union or Member State law to which the controller is subject, or to perform a task carried out in the public interest or in the exercise of official authority vested in the controller;
– for reasons of public interest in the field of public health,
– for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes, insofar as it is likely that the right to request deletion of data will make it impossible or seriously impede the achievement of the purposes of such processing; or
– to establish, pursue or defend claims.
In the event of a request to delete data necessary for the performance of the contract, the performance resulting from it is not performed.
If the data subject to deletion has been made public by the Workshop, it shall take reasonable steps, including technical measures, to inform other controllers processing this personal data of the need to delete the data and access it.
In the event of deletion of data, the Workshop shall inform the person about the recipients of the data, at the request of that person.
At the request of the person whose data is held, the Workshop issues in a structured, commonly used and machine-readable format or transfers to another entity, if possible, the data concerning that person that he or she provided to the Company, processed on the basis of that person’s consent or in order to conclude or perform a contract concluded with him or her in the Workshop’s IT systems.
16. CONTACT. RIGHT TO COMPLAINT TO THE SUPERVISORY AUTHORITY
In the event of any questions, reservations or doubts regarding the content of this Privacy Policy or the manner in which the Workshop processes personal data, as well as complaints regarding these matters, please send an e-mail with detailed information regarding the complaint to the e-mail address kontakt@renotech.pro or directly or by post to the following address:
Workshop. Persons whose personal data is processed by the Workshop also have the right to lodge a complaint with the supervisory authority, which is the President of the Office for Personal Data Protection.
17. FINAL PROVISIONS
The Workshop undertakes to regularly review this Privacy Policy and change it when it proves necessary or desirable due to:
a) new legal regulations,
b) new guidelines from authorities responsible for supervising personal data protection processes,
c) best practices used in the area of personal data protection (Codes of good practice, if the Workshop is bound by such Codes, about which you will be informed).
The Workshop also reserves the right to change this Privacy Policy in the event of changes in the technology by which it processes personal data (if the change affects the wording of this document), as well as in the event of changes in the methods, purposes or legal basis for processing personal data by us.
HAVE QUESTIONS?
Write!
- 43-100 Tychy, ul. Stefana Grota-Roweckiego 35/22
- +48 793 070 887
- kontakt@renotech.pro
- facebook.com/renotech.pro
- instagram.com/renotech.pro