- Controller – NT.NET Spółka z ograniczoną odpowiedzialnością, with its registered office in Ostrów Wielkopolski, ul. Krotoszyńska 35, entered in the Register of Entrepreneurs of the National Court Register kept by the District Court in Poznań – NOWE MIASTO I WILDA in Poznań, 9th Commercial Division [SĄD REJONOWY POZNAŃ – NOWE MIASTO I WILDA W POZNANIU, IX WYDZIAŁ GOSPODARCZY KRAJOWEGO REJESTRU SĄDOWEGO], KRS [National Court Register] number: 0000338017, Tax identification number (NIP): 6222720614, with fully paid-up share capital of PLN 200 000.
- Personal data – any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified by reference to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, including an image, recording of voice, contact details, location details, information included in correspondence, information collected with the use of recording equipment or other similar technology.
- Policy – this Personal Data Processing Policy
- GDPR –Regulation (UE) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- Data subject – any natural person whose data is processed by the Controller, e.g. a person entering the Controller’s premises or a person sending an e-mail request to the Controller.
II. PROCESSING OF PERSONAL DATA BY THE CONTROLLER
- In connection with the business activity run by the Controller, the Controller collects and processes personal data in accordance with relevant regulations, including in particular the DGPR and the personal data processing principles included therein.
- The Controller ensures the transparency of data processing, and in particular the Controller shall always inform about the processing of data upon its collection, including information about the purpose and legal grounds for the processing of data – e.g. when concluding a contract for the sale of goods or services. The Controller shall ensure that the data is collected only to the extent required to achieve an indicated purpose and processed only for the required period.
- While processing data, the Controller shall ensure appropriate security and confidentiality of personal data, as well as access to information about processing for data subjects. If, despite the appropriate security measures, a breach of personal data has occurred (e.g. unauthorised disclosure or loss of personal data), the Controller will inform data subjects of such an event, in accordance with regulations.
III. CONTACT WITH THE CONTROLLER
- The Controller may be contacted via e-mail at email@example.com, a contact form at https://tortugafriends.com/kontakt/, or in writing to the registered office address of NT.NET Spółka z ograniczoną odpowiedzialnością.
IV. PROTECTION OF PERSONAL DATA
- In order to ensure integrity and confidentiality of personal data, the Controller has implemented procedures which allow access to personal data only to authorised persons and only to the extent in which it is required for the functions they exercise. The Controller uses organisational and technical solutions in order to ensure that all personal data operations are registered and conducted only by authorised persons.
- In addition, the Controller takes all necessary action in order to ensure that their subcontractors and other entities which they cooperate with also guarantee taking appropriate security measures in all cases of processing of personal data ordered by the Controller.
- The Controller runs an up-to-date risk analysis and monitors the adequacy of the security measures taken to the identified threats. Where necessary, the Controller shall implement additional security measures with the aim to increase the protection of personal data.
V. Purposes and legal grounds for the processing of personal data
- Personal data of all the users of Tortuga Friends, including their IP addresses or other identifiers and information collected through cookie files or other similar technology, is processed in order to:
- provide online services in terms of publishing the content collected in Tortuga Friends to users – where the legal ground is the contractual necessity (processing is necessary for the performance of a contract) (Article 6 (1) (b) of the DGPR);
- perform analytical and statistical tasks – where the legal ground is the legitimate interest of the Controller (Article 6 (1) (f) of the DGPR), which consists in performing analyses of the users’ activity and their preferences in order to improve the functionality applied and services provided;
- identify and pursue possible claims or protect the Controller against possible claims – where the legal ground is the legitimate interest of the Controller (Article 6 (1) (f) of the DGPR), which consists in the protection of the Controller’s rights;
- User’s activity in the Controller’s Mobile Application, including their personal data, is registered in system logs (a special computer programme for storing a chronological register containing information about the events and actions of the IT system used for providing services by the Controller). The information collected in logs is processed mainly for the purposes of providing services. The Controller processes the information also for technical and administrative purposes, to ensure security of the IT system and to administer the system, as well as to perform analytical and statistical tasks – where the legal ground is the legitimate interest of the Controller (Article 6 (1) (f) of the DGPR).
- A session which a user starts with the Controller’s Application Tortuga Friends is protected – from the moment of logging in to the moment of logging out – by an SSL protocol. It means that all data, including personal data, are submitted with the use of encrypting.
- The Controller processes users’ personal data in order to perform marketing operations, which may consist in:
- displaying marketing content which is not adapted to user’s preferences (contextual advertising);
- displaying marketing content adapted to user’s preferences (behavioural advertising);
- performing other types of actions related to direct marketing of goods and services (sending commercial communications via the Internet and telemarketing operations).
- In order to perform its marketing operations, the Controller may, in some cases, make use of profiling. It means that the Controller, thanks to automatic data processing, makes an assessment of selected factors concerning natural persons in order to analyse their behaviour or to make a forecast for the future. The legal ground for the processing of personal data in this case is the legitimate interest of the Controller (Article 6 (1) (f) of the DGPR).
VII. COOKIE FILES AND SIMILAR TECHNOLOGY
- Cookie files are small text files installed on a device of the Tortuga Friends user. Cookies collect information which facilitate using a website – e.g. by remembering the user’s visits in Tortuga Friends and the actions they take. The legal ground for the processing of personal data in this case is the legitimate interest of the Controller (Article 6 (1) (f) of the DGPR).
- cookies with the data entered by the user (session ID) for the duration of the session (userinputcookies);
- cookies used for the services which require authentification for the duration of the session (authenticationcookies);
- cookies used for ensuring security, e.g. to detect fraud in terms of authentification (usercentricsecuritycookies);
- session cookies for multimedia players (e.g. flash player cookies), for the duration of the session (multimedia playersessioncookies);
- persistent cookies used for interface customisation for the duration of the session or a bit longer (userinterfacecustomizationcookies),
- cookies used for monitoring the website traffic, i.e. data analytics, including Google Analytics (files used by the Google Company to analyse the manner in which Tortuga Friends is used by users, to make statistics and reports concerning the functioning of Tortuga Friends). Google Analytics tools also serve the purpose of sending behavioural advertising to users. Google does not use the data collected to identify users or to connect information in order to identify a user. More detailed information about the scope and principles of collecting data related to this service may be fund here: Google – Privacy and terms.
VIII. E-MAIL AND TRADITIONAL CORRESPONDENCE
- In the case of sending an e-mail or a letter to the Controller, the personal data included in the correspondence are processed solely for the purpose of communicating between the parties and resolving an issue which the correspondence concerns.
- The legal ground for the processing of personal data in this case is the legitimate interest of the Controller (Article 6 (1) (f) of the DGPR) consisting in managing correspondence addressed to the Controller relating to their business activity.
- The Controller processes only the personal data which is relevant to the case being the subject matter of the correspondence. All correspondence is stored in a manner that ensures security of the personal data (as well as other information) it contains and disclosed only to authorised persons.
IX. TELEPHONE CONTACT
- Where the Controller is contacted by phone, they may require providing personal data only when it is necessary to deal with the case which the phone call concerns. The legal ground for the processing of personal data in this case is the legitimate interest of the Controller (Article 6 (1) (f) of the DGPR) consisting in making it possible to deal with claims and requests made by persons interested in the Controller’s services.
- Telephone conversations may also be recorded – in this case, the Controller informs about this fact at the beginning of a conversation. Telephone conversations are registered in order to monitor the quality of the service provided and to verify the work of consultants. The recordings are available only to Controller’s staff and persons operating the Controller’s hotline. The legal ground for the processing of personal data in this case is the legitimate interest of the Controller (Article 6 (1) (f) of the DGPR) consisting in making it possible to improve the quality of the services provided by the Controller.
X. SOCIAL NETWORKING SITES
- The Controller processes personal data of users who visit the Controller’s profiles on social networking sites (Facebook, YouTube, Instagram, Twitter). This data is processed only in relation to running the profiles, including, e.g. informing the Users about the Controller’s activity and promoting various types of events, services and products. The legal ground for the processing of personal data in this case is the legitimate interest of the Controller (Article 6 (1) (f) of the DGPR) consisting in promoting one’s own brand.
XI. VIDEO SURVEILLANCE AND ACCESS CONTROL
- In order to ensure the safety of persons and property, the Controller uses video surveillance and monitors access to their business premises and areas. The data collected in this sway are not used for any other purposes.
- Personal data in the form of surveillance recordings and data collected in the register of entries and exists are processed in order to ensure safety and order on the premises and for the purpose of defending against or pursuing possible claims. The legal ground for the processing of personal data in this case is the legitimate interest of the Controller (Article 6 (1) (f) of the DGPR) consisting in ensuring the safety of the Controller’s property and protection of their rights.
XII. OTHER CASES OF PERSONAL DATA COLLECTION
- In connection with their business activity, the Controller also collects personal data in other cases – e.g. at business meetings, professional events or through exchange of business cards – for purposes related to initiating and maintaining business contacts. The legal ground for the processing of personal data in such cases is the legitimate interest of the Controller (Article 6 (1) (f) of the DGPR) consisting in making a network of contacts relating to the business activity run by the Controller.
- Personal data collected in such cases are processed only for the purposes for which they have been collected, and the Controller ensures their appropriate protection.
XIII. PERSONAL DATA RECIPIENTS
- In connection with running business activity which requires processing of personal data, the data are disclosed to third parties, including in particular the suppliers responsible for the operation of IT systems and equipment (e.g. CCTV equipment, GPS services), entities providing legal or accounting services, delivery companies, marketing or recruitment agencies. The data may also be disclosed to the Controller’s selected partners, e.g. while realising advertising campaigns joined by the data subject.
- The Controller reserves the right to disclose selected information about a data subject to competent authorities or third parties who request such information based on the appropriate legal grounds and in accordance with applicable law.
XIV. TRANSFER OF PERSONAL DATA OUTSIDE THE EEA
- The level of protection of personal data outside the European Economic Area (EEA) differs from the one provided by the European law. For this reason, the Controller transfers personal data outsider the EEA only when necessary, and ensuring an appropriate level of protection, primarily through:
- cooperation with entities which process personal data in countries in respect of which an appropriate decision of the European Commission has been issued;
- application of standard contractual clauses issued by the European Commission;
- application of binding corporate rules approved by the competent supervisory authority;
- where data is transferred to the USA – cooperation with entities participating in the Privacy Shield programme approved by the European Commission.
- The Controller always informs about their intention to transfer personal data outside the EEA at the stage of collection.
XV. PERIOD FOR THE PROCESSING OF PERSONAL DATA
- The period for the processing of personal data by the Controller depends on the type of service provided and the purpose of processing. The period may also arise from regulations, where processing is carried out based on such regulations. Where data is processed based on the legitimate interest of the Controller – e.g. for security reasons – the data is processed for a period of time which makes it possible to realise the interests or to effectively object to the processing of personal data. If the processing of data is performed on the basis of an agreement, the data will be processed until the agreement is withdrawn. When the basis for the processing of data is the necessity to enter into and perform a contract, the data will be processed until the contract is terminated.
- The period for the processing of personal data may be extended where the processing is necessary to establish, pursue or defend against claims, and after this period – only where and to the extent that is required by law. After the end of the period for processing, the data is irreversibly erased or anonimised.
XVI. RIGHTS RELATED TO THE PROCESSING OF PERSONAL DATA, RIGHTS OF DATA SUBJECTS
- Data subjects have the following rights:
- right to information about the processing of personal data – on this basis, a person making a request will be provided information about data processing by the Controller, including primarily about the purposes and legal grounds for processing, the scope of data held, entities to which such data is disclosed and the planned date of data deletion;
- right to obtain a copy of the data – on this basis, the Controller will provide a copy of the processed data concerning the person making a request;
- right to rectify – the Controller is required to rectify any discrepancies or mistakes in processed personal data and to amend such data, if incomplete;
- right to delete data – on this basis, one can request the deletion of data the processing of which is no longer necessary to achieve any of the purposes for which they have been collected;
- right to restrict processing – if such a request is made, the Controller will cease to perform operations on personal data – except for operations consented to by the data subject, and to retain data, in accordance with accepted retention rules or until the reasons for restriction of data processing have ceased to exist (for example, a supervisory authority decision is issued allowing further processing of data);
- right to transfer data – on this basis – to the extent that data is processed in connection with a contract concluded or a consent expressed – the Controller will issue data provided by the data subject in a machine-readable format. It is also possible to request that data be sent to another entity – provided, however, that there is technical capacity in this regard on the part of both the Controller and the other entity;
- right to object to the processing of data for marketing purposes – the data subject may at any time object to the processing of their personal data for marketing purposes, without the need to justify such objection;
- right to object to other purposes of data processing – the data subject may at any time object to the processing of personal data which takes place on the basis of a legitimate interest of the Controller (e.g. for analytical or statistical purposes or for reasons related to the protection of property); objection in this respect must contain a justification;
- right to withdraw consent – if data is processed based on a consent given, the data subject has the right to withdraw such consent at any time, which does not affect the lawfulness of processing carried out prior to the withdrawal of the consent;
- right to complain – if it is found that the processing of personal data violates the provisions of GDPR or other regulations on the protection of personal data, the data subject may file a complaint with the President of the Personal Data Protection Authority.
XVII. MAKING REQUESTS RELATING TO THE EXERCISE OF RIGHTS
- A request regarding the exercise of the rights of data subjects can be submitted:
- in writing to the following address: NT.NET Sp. z o.o., ul. Krotoszyńska 35, 63-400 Ostrów Wielkopolski
- by e-mail to the following address: firstname.lastname@example.org
- If the Controller is unable to identify the person submitting a request based on the request submitted, the Controller will ask the person making the request for additional information.
- A request can be submitted in person or through a proxy (e.g. a family member). For reasons of data security, the Controller encourages the use of a power of attorney certified by a notary public or an authorized legal counsel or attorney, which will significantly speed up the verification of the authenticity of the request.
- A response to a request should be given within one month of its receipt. If this period needs to be extended, the Controller shall inform the person making the request about the reasons for the delay.
- Response must be provided via traditional mail, unless the request was submitted via e-mail or it was requested that the response be given in an electronic format.
XVIII. CHARGING POLICY
- Proceedings regarding submitted requests are free of charge. Charges can only be collected where:
- a request is made for the second and each subsequent copy of data (the first copy of data is free); in this case, the Controller can demand a charge of PLN 50. This charge includes the administrative costs related to the fulfilment of the request.
- the same person makes requests that are excessive (e.g. extremely frequent) or clearly unjustified; in this case, the Controller can demand a charge of PLN 200.
This charge includes the costs of communication and the costs of taking the requested actions.
- If the decision to impose a charge is disputed, the data subject may file a complaint with the President of the Personal Data Protection Authority.
XIX. CHANGES TO PERSONAL DATA PROCESSING POLICY
The Policy is reviewed on an ongoing basis and updated as necessary. The current version of the Policy was adopted on 01 September 2018.