PERSONAL DATA PROCESSING POLICY
1.1. Controller – Nextbike Polska S.A. with its registered office in Warsaw (01-756), ul. Przasnyska 6b.
1.2. Personal data – all information about a natural person identified or identifiable by one or more specific factors determining a physical, physiological, genetic, psychological, economic, cultural or social identity, including image, voice recording, contact details, location data, information contained in correspondence, information collected via recording equipment or other similar technology.
1.3. Policy – this personal data processing policy.
1.4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
1.5. Data subject – any natural person whose personal data is processed by the Controller, e.g. a person visiting the Controller’s premises or sending a query to the Controller in the form of an
2. DATA PROCESSING BY THE CONTROLLER
2.1. Due to the conducted business activity, the Controller collects and processes personal data in accordance with the appropriate regulations, especially with the GDPR, and the data processing rules included in them.
2.2. The Controller ensures transparency of data processing, particularly always informs about the processing of data at the moment of its collection, including about the purpose and legal basis for such processing – e.g. during conclusion of agreements for the sale of goods or services. The Controller makes sure that the data is collected only to the extent necessary for the indicated purpose and processed only for as long as it’s necessary.
2.3. In the course of processing data, the Controller ensures its security and confidentiality, as well as access of data subjects to their information. In the case of breach of personal data protection (e.g. “leak” of data or its loss) despite the used security measures, the Controller shall inform the data subjects about such event in a manner compliant with the regulations.
3. CONTRACT WITH THE CONTROLLER
3.1. The Controller may be contacted using the following e-mail address: [email protected], contact form at www.nextbike.pl, via telephone: 22 208 99 90 or in writing to the address of the registered office of Nextbike Polska S.A.
3.2. The Controller appointed a Data Protection Officer, who may be contacted using the following
e-mail address: [email protected] in any matter concerning the personal data processing.
4. SECURITY OF PERSONAL DATA
4.1. In order to ensure the integrity and confidentiality of data, the Controller implemented procedures that only allow authorized persons to access the personal data and only to the extent to which it’s necessary due to the tasks performed by them. The Controller uses organizational and technical solutions in order to ensure that all operations on personal data are recorded and carried out only by authorized persons.
4.2. The Controller also undertakes all necessary actions to ensure that its subcontractors and other cooperating entities provide guarantee of using appropriate security measures in every case, when they process personal data on behalf of the Controller.
4.3. The Controller conducts risk analysis on an on-going basis and monitors the adequacy of used data security measures in regard to the identified threats. If there’s such a need, the Controller shall implement additional measures aimed at increasing the data security.
5. PURPOSES AND LEGAL BASIS FOR PROCESSING
5.1. NEXTBIKE WEBSITES
5.1.1. Personal data of all persons using the Controller’s websites (www.nextbike.pl and websites of individual city bike systems operated by the Controller), including IP addresses or other identifiers, as well as information collected via cookies or other similar technologies, is processed:
a. in order to provide services electronically in the scope of making available to users the contents collected on the website – in such case the legal basis for processing is the necessity of processing in order to implement the agreement (article 6, paragraph 1(b) of the GDPR);
b. for analytical and statistical purposes – in such case the legal basis for processing is the justified interest of the Controller (article 6, paragraph 1(f) of the GDPR), consisting of conducting the analysis of users’ activity, as well as their preferences in order to improve the used functionalities and provided services;
c. in order to possibly determine and pursue claims or defend against them – in such case, the legal basis for processing is the justified interest of the Controller (article 6, paragraph 1(f) of the GDPR), consisting of the protection of its rights;
d. for marketing purposes of the Controller and other entities – rules for the processing of personal data for marketing purposes are described in the “Marketing” section below.
5.1.2. The user’s activity on the Controller’s website, including its personal data, is recorded in system logs (special computer program intended for the storing of chronological record containing information about events and activities concerning the IT system used to provide services by the Controller). Information collected in the logs is processed mainly for the purposes associated with the provision of services. The Controller also processes them for technical and administrative purposes, in order to ensure the security of the IT system, as well as management of this system, and also for analytical and statistical purposes – in this scope the legal basis for processing is the legally justified interest of the Controller (article 6, paragraph 1(f) of the GDPR).
5.1.3. Session that the user’s web browser establishes with the Controller’s servers, from the moment of logging in to logging out of the website, is protected with the use of TLS protocol. This means that all data, including personal data, is sent with the use of cryptographic protection (encryption).
5.2.1. The Controller processes personal data of users in order to implement marketing activities, which may consist of:
a. displaying marketing contents to the user that are not adapted to its preferences (contextual advertising);
b. displaying marketing contents to the user that correspond to its interests (behavioural advertising);
c. conducting other types of activities associated with direct marketing of goods and services (sending commercial information via electronic means and telemarketing activities).
5.2.2. The Controller may use profiling in some cases in order to implement marketing activities. This means that thanks to the automatic processing of data, the Controller evaluates the selected factors regarding natural persons, in order to analyze their behaviour or to create a forecast for the future. In such case, the legal basis for processing is the legally justified interest of the Controller (article 6, paragraph 1(f) of the GDPR).
5.3. COOKIES AND SIMILAR TECHNOLOGY
5.3.1. Cookies are small text files installed on the device of the user browsing the website. Cookies collect information that facilitates the use of the website – e.g. through memorizing the user’s visits on the website and the activities carried out by the given user. In such case, the legal basis for processing is the legally justified interest of the Controller (article 6, paragraph 1(f) of the GDPR).
a. cookies with data entered by the user (session identifier) for the duration of the session (user input cookies);
b. authentication cookies used for services requiring authentication for the duration of the session (authentication cookies);
c. cookies used to ensure security, e.g. used to detect fraud in the scope of authentication (user centric security cookies);
d. session cookies for multimedia players (e.g. flash player cookies), for the duration of the session (multimedia player session cookies);
e. permanent cookies used to personalize the user interface for the duration of the session or a little longer (user interface customization cookies),
f. cookies used to monitor traffic on the website, i.e. data analytics, including Google Analytics cookies (these files are used by Google in order to analyse how the user uses the website, to generate statistics and reports regarding the functioning of the website). Google Analytics is also used to direct the behavioural advertising to users. Google does not use the collected data to identify the user and it does not combine this information in order to allow identification. Detailed information about the scope and rules of data collection in connection with this service may be found at:
5.4. LOCATION DATA
5.4.1. Mobile applications made available by the Controller, such as Nextbike application, Veturilo application or Citi Handlowy Bike application, as well as some of the Controller’s websites, e.g. www.veturilo.waw.pl or www.bikerbialystok.pl, may use location data of the user’s device (computer, mobile phone, tablet, etc.).
5.4.2. In particular, the Controller processes location data in order to provide the user with a map indicating the nearest Nextbike’s bike stations. The user is informed about all other purposes of location data processing in separate information clauses.
5.4.3. The legal basis for processing of such data is the user’s consent (article 6, paragraph 1(a) of the GDPR) given by providing a mobile application or web browser with access to user’s device location data.
5.5. CONTACT FORMS AVAILABLE ON THE WEBSITES
5.5.1. The Controller provides the possibility to contact it with the use of electronic contact forms, which are available on the Controller’s websites. Using the form requires providing personal data necessary to contact the user and reply to the inquiry. The user may also provide other data in order to facilitate contact or handling of the inquiry. Providing data marked as obligatory is required in order to receive and handle the inquiry, and failure to provide such data results in a lack of the possibility to handle such inquiry. Provision of other data is voluntary.
5.5.2. Personal data is processed:
a. in order to identify the sender and handle the request or answer the question sent via the contact form – the legal basis for processing is the legally justified interest of the Controller (article 6, paragraph 1(f) of the GDPR), consisting of enabling the handling of requests and answering questions asked particularly by persons interested in Controller’s services;
b. in order to monitor and improve the quality of services, including customer service – the legal basis for processing is the justified interest of the Controller (article 6, paragraph 1(f) of the GDPR), consisting of enabling the improvement of quality of services provided by the Controller.
5.6. E-MAIL AND TRADITIONAL CORRESPONDENCE
5.6.1. In the case of e-mail or traditional correspondence sent to the Controller, the personal data contained in such correspondence is processed only for the purpose of communication and resolving the matter associated with such correspondence.
5.6.2. The legal basis for processing is the justified interest of the Controller (article 6, paragraph 1(f) of the GDPR), consisting of implementation of the correspondence addressed to the Controller in connection with its business activity.
5.6.3. The Controller processes only personal data relevant to the matter associated with the given correspondence. All correspondence is stored in a manner ensuring the security of personal data (and other information) contained in it and it’s disclosed only to authorized persons.
5.7. TELEPHONE CONTACT
5.7.1. In the case of contacting the Controller via telephone, the Controller may request the provision of personal data only when it will be necessary to handle the matter associated with the given contact. In such case, the legal basis for processing is the justified interest of the Controller (article 6, paragraph 1(f) of the GDPR) consisting of allowing the service of requests and answering the questions asked by persons interested in the Controller’s services.
5.7.2. Telephone calls also may be recorded – in such case, appropriate information is provided at the beginning of the call. Calls are recorded in order to monitor the quality of provided services and to verify the work of consultants. The recordings are available only to the Controller’s employees and persons servicing the Controller’s helpline. The legal basis for processing is the justified interest of the Controller (article 6, paragraph 1(f) of the GDPR), consisting of allowing for the improvement of quality of services provided by the Controller.
5.8. SOCIAL MEDIA
5.8.1. The Controller processes personal data of the users visiting the Controller’s profiles in social media (Facebook, YouTube, Instagram, Twitter). This data is processed only in connection with running the profile, including to inform Users about the activity of the Controller and to promote various types of events, services and products. The legal basis for processing of personal data by the Controller for this purpose is its justified interest (article 6, paragraph 1(f) of the GDPR), consisting of promoting its own brand.
5.9. VIDEO MONITORING AND ACCESS CONTROL
5.9.1. In order to ensure the safety of persons and property, the Controller uses video monitoring and controls access to premises and the area under its management. Data collected in such manner is not used for any other purposes.
5.9.2. Personal data in the form of recordings from the monitoring and data collected in the register of entries and exits are processed in order to ensure security and order on the premises, and possibly in order to defend against claims or their pursuit. The legal basis for personal data processing is the justified interest of the Controller (article 6, paragraph 1(f) of the GDPR), consisting of ensuring the security of Controller’s property and protection of its rights.
5.10.1. Within the recruitment processes, the Controller expects the transfer of personal data (e.g. in a CV or resume) only in the scope determined in provisions of the labour law. Thus, information should not be passed in a wider scope. In the case when the sent applications will contain additional data, such data won’t be used, nor taken into account in the recruitment process.
5.10.2. Personal data is processed:
a. in order to comply with obligations resulting from provisions of the law, associated with the employment process, including particularly the Labour Code – the legal basis for processing is the legal obligation of the Controller (article 6, paragraph 1(c) of the GDPR in connection with provisions of the Labour Code);
b. in order to carry out a recruitment process in the scope of data not required by provisions of the law, as well as for the purposes of future recruitment processes – the legal basis for processing is the given consent (article 6, paragraph 1(a) of the GDPR);
c. in order to determine or pursue any possible claims or to defend against such claims – the legal basis for data processing is the legally justified interest of the Controller (article 6, paragraph 1(f) of the GDPR).
5.11. COLLECTION OF DATA IN CONNECTION WITH THE PROVISION OF SERVICES OR IMPLEMENTATION OF OTHER AGREEMENTS
5.11.1. In the case of collection of data for purposes associated with the implementation of a specific agreement, also via website, the Controller provides the data subject with detailed information concerning the processing of its personal data at the moment of conclusion of the agreement.
5.12. COLLECTION OF DATA IN OTHER CASES
5.12.1. In connection with the conducted business activity, the Controller collects personal data also in other cases – e.g. during business meetings, industry events or through exchange of business cards – for purposes associated with initiating and maintaining business contacts. In this case, the legal basis for processing is the justified interest of the Controller (article 6, paragraph 1(f) of the GDPR), consisting of creating a network of contacts in connection with the conducted business activity.
5.12.2. Personal data collected in such cases is processed only for the purpose for which the given personal data was collected and the Controller ensures its appropriate protection.
6. DATA RECIPIENTS
6.1. In connection with conducting business activity requiring processing, the personal data is disclosed to external entities, including particularly suppliers responsible for the handling of IT systems and equipment (e.g. CCTV equipment, GPS location services), entities providing legal or accounting services, couriers, marketing agencies or recruitment agencies. The data may be also disclosed to selected partners of the Controller, e.g. within implementation of the promotional campaigns participated by the data subject.
6.2. The Controller reserves the right to disclose selected information regarding the data subject to competent authorities or third parties who will submit a request for providing such information based on appropriate legal basis and in accordance with the provisions of applicable law.
7. TRANSFER OF DATA OUTSIDE THE EEA
7.1. The level of personal data protection outside the European Economic Area (EEA) differs from that provided by the European law. Due to that fact, the Controller transfers personal data outside the EEA only when it’s necessary and with ensuring an adequate level of protection, mainly through:
7.1.1. cooperation with entities processing personal data in countries in regard to which an appropriate decision of the European Commission has been issued;
7.1.2. use of standard contractual clauses issued by the European Commission;
7.1.3. application of binding corporate rules approved by the competent supervisory authority;
7.1.4. in the case of data transfer to the USA – cooperation with entities participating in the Privacy Shield program, approved by the decision of the European Commission.
7.2. The Controller always informs about the intention to transfer personal data outside the EEA at the stage of its collection.
8. PERIOD OF THE PERSONAL DATA PROCESSING
8.1. The period of data processing by the Controller depends on the type of provided service and the purpose of processing. The period of data processing may also result from the regulations in the case when they constitute the basis for processing. In the case of data processing based on the justified interest of the Controller – e.g. due to security reasons – the data is processed for a period allowing for implementation of this interest or until the submission of objection in regard to data processing. If the processing is carried out on the basis of consent, the data is processed until its withdrawal. When the basis for processing is the necessity to conclude or implement the agreement, the data is processed until it is terminated.
8.2. The data processing period may be extended in the case, when the processing is necessary to establish or pursue claims or defend against claims, and after this period – only in the case and to the extent that it will be required by provisions of the law. After the expiration of processing period, the data is irreversibly deleted or anonymised.
9. RIGHTS ASSOCIATED WITH THE PERSONAL DATA PROCESSING
RIGHTS OF THE DATA SUBJECTS
9.1. The data subjects have the following rights:
9.1.1. right to information regarding the processing of personal data – on this basis, the Controller provides information regarding the processing of data to person submitting the request, including primarily about the purposes and legal basis for processing, the scope of possessed data, entities to which the data is disclosed and the planned date of deletion of such data;
9.1.2. right to obtain a copy of the data – on this basis, the Controller provides a copy of processed data concerning the person submitting the request;
9.1.3. right to correct – the Controller is obliged to remove any possible incompatibilities or errors of processed personal data and to supplement data if it is incomplete;
9.1.4. right to delete data – on this basis, it’s possible to request deletion of data, the processing of which is no longer necessary to implement any of the purposes for which such data was collected;
9.1.5. right to limit processing – in the case of submitting such a request, the Controller ceases to perform operations on personal data – except for operations agreed by the data subject – and its storage, in accordance with adopted retention rules or until the reasons for limiting data processing have ceased to exist (e.g. decision of the supervisory authority is issued allowing for further processing of data);
9.1.6. right to data transfer – on this basis – in the scope in which the data is processed in connection with the concluded agreement or given consent – the Controller issues data provided by the data subject in a format that allows its reading by the computer. It is also possible to request that data to be sent to another entity – however provided that there are technical possibilities in this scope on the part of the Controller as well as on the part of such other entity;
9.1.7. right to object to the data processing for marketing purposes – at any time, the data subject may object to the processing of personal data for marketing purposes, without the need to justify such objection;
9.1.8. right to object to other purposes of data processing – at any time, the data subject may object to the processing of personal data, which is carried out on the basis of the justified interest of the Controller (e.g. for analytical or statistical purposes or for reasons associated with the protection of property); the objection in this scope should include a justification;
9.1.9. right to withdraw consent – if the data is processed on the basis of given consent, the data subject has the right to withdraw it at any time, however such withdrawal does not affect the legality of processing carried out prior to the withdrawal of consent.
9.1.10. right to lodge a complaint – if it’s found that the processing of personal data violates provisions of the GDPR or other provisions regarding the protection of personal data, the data subject may lodge a complaint to the President of the Personal Data Protection Office.
9.2. SUBMISSION OF REQUESTS RELATED TO EXERCISE OF THE RIGHTS
9.2.1. Application regarding exercise of the rights of the data subjects may be submitted:
a. in written form to the following address: ul. Przasnyska 6b, 01-756 Warszawa;
b. via e-mail to the following address: [email protected]
9.2.2. If the Controller won’t be able to identify the person submitting the application on the basis of submitted application, the Controller will ask the applicant for additional information.
9.2.3. The application may be submitted in person or through a proxy (e.g. a family member). Due to the security of data, the Controller encourages the use of power of attorney in a form certified by a notary or authorized legal counsel or attorney, which will significantly accelerate the verification of application’s authenticity.
9.2.4. Reply to the application should be given within one month from its receipt. If it is necessary to extend this deadline, the Controller informs the applicant about the reasons for the delay.
9.2.5. Reply is provided via traditional mail, unless the application was submitted via e-mail or a reply in electronic form was requested.
9.2.6. The data subject may also correct or update its personal data by himself/herself, as well as withdraw his/her previously given consents to the processing of personal data and to the provision of marketing information, with the use of Controller’s websites. In order to do this, it’s necessary to log in to the website (e.g. www.nextbike.pl), go to the “User settings” tab and make appropriate changes.
9.3. RULES FOR CHARGING THE FEES
9.3.1. Procedure concerning the submitted applications is free. Fees can only be charged in the case of:
a. submitting the request to issue the second and each subsequent copy of data (the first copy of data is free); in such case, the Controller may request the payment of a fee amounting to 30 PLN.
The above-mentioned fee includes administrative costs associated with the implementation of the request.
b. submitting excessive requests (e.g. extremely frequent) by the same person or evidently unjustified requests; in such case, the Controller may request a fee in the amount of 100 PLN.
The above-mentioned fee includes the costs of communication and the costs associated with undertaking the requested actions.
9.3.2. In the case of contesting the decision regarding imposition of a fee, the data subject may lodge a complaint to the President of the Personal Data Protection Office.
10. MODIFICATIONS OF THE PERSONAL DATA PROCESSING POLICY
This policy is verified on an ongoing basis and it is updated if such a need occurs. The current version of this Policy was adopted on 23 May 2018.