WEB SITE PERSONAL DATA PROCESSING POLICY

This policy is of informational nature and lays down the rules for the personal data processing by the Administrator in the online shop and on the website including the bases, goals and scope of personal data processing and rights of data subjects as well as information with respect to the use of cookies and analytic tools.

1 DEFINITIONS

1. Administrator – Szkoła Zdobywców Horyzont Joanna Łączkowska – Jęcek, ul. Wilcza 10, 58-540 Karpacz NIP 7871758235, REGON 3605737
2. Personal Data – any information regarding a natural person identified or identifiable by several specific factors determining the physical, physiological, genetic, mental, economic, cultural or social identity including image, voice recording, contact data, location data, information contain in the mailing, information collected through the use of registration equipment or other, similar technology.
3. Policy – this Personal Data Processing Policy.
4. GDPR – Regulation of the European Parliament and the Council (EU) 2016/679 of 27 April, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.
5. Data Subject – each natural person whose personal data are processed by the Administrator.

2 DATA PROCESSING

1. In connection with the conducted business activity, the Administrator collects and processes the personal data in accordance with the relevant regulations and in particular with the General Data Protection Regulations and the rules for personal data processing set forth therein.
2. The Administrator ensures data transparency and in particular provides information on personal data processing upon their collection including information on the purpose and legal basis for data processing – e.g. upon conclusion of goods and services sale agreements. The Administrator makes sure that the data are collected solely in so far as necessary for the identified purpose and processed solely throughout the period such processing is necessary.
3. While processing the data, Administrator ensures their security, confidentiality and access to the processing information only by the data subjects. However, should the personal data, despite the applied security measures, be compromised (e.g. data “leak” or loss), the Administrator shall advise the persons concerned thereof in the manner compliant with the pertinent regulations.

3 CONTACT WITH THE ADMINISTRATOR

1. Contact with the Administrator is possibly by e-mail: ultramaraton3xsniezka@gmail.com or in writing to the Administrator’s headquarters, i.e. Szkoła Zdobywców Horyzont Joanna Łączkowska – Jęcek, having its registered office in 58-540 Karpacz at ul. Wilcza 10.
2. The Administrator has not appointed the Data Protection Supervisor.

4 PERSONAL DATA SECURITY

1. In order to ensure data integrity and confidentiality, the Administrator implemented procedures enabling access to the personal data solely to authorised individual and solely within the scope in which it is necessary in light of the Administrator’s duties. The Administrator applies technical and organisational means to ensure that all operations performed on personal data are registered and performed solely by authorized persons.
2. The Administrator also undertakes all activities as necessary to ensure that also its sub-contractors and other cooperating entities will apply adequate security measures in each case while processing personal data upon Administrator’s commission.
3. The Administrator carries out an on-going risk analysis and monitors adequate nature of the data security with the respect to identified risks. As and where required, the Administrator shall implement additional measures to increase data security.

5 PURPOSES AND LEGAL BASIS FOR DATA PROCESSING

1. The personal data of all individuals using the web services of the Administrator (3razysniezka.pl, including IP addresses or other identifiers and information collected through cookies or other, similar technologies are processed:
   1. In order to provide electronic services with respect to making available the content collected through the service provision – then the legal basis for the processing derives from the necessity to process the data in order to perform the agreement (Art.6 section 1 sub-section b of GDPR);
   2. For analytic and statistical purposes – then the legal basis for the processing derives from the justified interest of the Administrator (Art.6 section 1 letter f of GDPR) consisting in the performance of analyses of user activity as well as their preferences in order to improve the functionalities in use and services rendered;
   3. In order to determine and make claims or to ensure protection against them – the legal basis for the processing derives from the justified interest of the Administrator (Art.6 section 1 letter f of GDPR) consisting in the Administrator’s rights protection;
   4. For marketing purposes of the Administrator and of other entities – the rules for personal data processing for marketing purposes are given in section “Marketing” below.
2. User activity on the Administrator’s portal, including his/her personal data, are registered in the system logs (special computer software used for the storage of the chronological record containing information about the events and actions concerning the IT system used in service provision by the Administrator). The data collected in the logs are first and foremost processed in connection with the purposes linked with the service provision. The Administrator processes the data also for technical and administrative purposes and to ensure IT system security and to manage the system as well as for analytic and statistical purposes – to this end the legal basis for the processing derives from the legally justified interest of the Administrator (Art.6 section 1 letter f of GDPR).

6 MARKETING

1. The Administrator processes the users’ personal data to carry out marketing activities which may consist in:
   1. Displaying marketing content to the user which is not adapted to his/her preferences (context advertisement);
   2. Displaying the marketing content to the use matching his/her interests (behavioural advertising);
   3. Carrying out other types of activities linked with the direct marketing of goods and services (provision of commercial information by e-mail and telemarketing activities).
2. In order to realise the marketing activities in some cases, the Administrator may apply profiling. It means that due to automatic data processing, the Administrator carries out an evaluation of selected factors concerning individuals to analyse their behaviours or to store or create forecasts for the future. The legal basis for data processing in this case derives from the legally justified interest of the Administrator (Art.6 section 1 letter f of GDPR).

8 CONTACT FORMS AVAILABLE ON WEB SITES

1. The Administrator ensures a possibility of contacting it using electronic contact forms available on the Administrator’s web sites. Use of the form requires provision of personal data as necessary to contact the user and to grant answer to the question. User may also provide other data to facilitate contact or enquiry service. Provision of data marked as obligatory is necessary to accept and service the enquiry; failure to provide the data results in lack of possibilities of handling the enquiry. The provision of other data is on a voluntary basis.
2. Personal data are processed:
   1. To identify the sender and handle the enquiry or to reply to an enquiry served through the contact form – the legal basis for the processing derives from the legally justified interest of the Administrator (Art.6 section 1 sub-section f of the GDPR) consisting in enabling the service of enquiries handling and serving replies to queries served by individuals interested in Administrator’s services;
   2. In order to monitor and improve service quality including the client service – the legal basis for the processing derives from the justified interest of the Administrator (Art.6 section 1 subsection f of GDPR) consisting in enabling the improvement of the quality if services provided by the Administrator.

9 E-MAIL AND TRADITIONAL CORRESPONDENCE

1. Should any correspondence be served to the Administrator by e-mail or traditional mail, the personal data disclosed in the correspondence shall be processed solely for the purpose of communication and resolution of the case which is the subject of the correspondence.
2. The legal basis for the processing derives from the legally justified interest of the Administrator (Art.6 section 1 sub-section f of the GDPR) consisting in keeping the correspondence sent to it in connection with its business activity.
3. The Administrator shall solely process the data of relevance for the matter which the correspondence concerns. The entire correspondence is stored in the manner ensuring security of data contained therein (and of other information) and disclosed solely to authorised persons.

10 TELEPHONE CONTACT

1. In the event of contacting the Administrator by telephone, the Administrator may request the provision of personal data solely where it is necessary to handle the matter which the contact concerns. the legal basis for the processing is the justified interest of the Administrator (Art.6 section 1 letter f of GDPR) consisting in the enabling the service of requests and provision of answers to queries made by the parties interested in Administrator’s services.
2. Telephone calls may also be recorded, in which case relevant information is provided in the beginning of the conversation. The conversations are recorded for the purpose of monitoring the quality of the service provided and verification of the consultant work. The recordings are available solely to Administrator’s staff and persons serving the Administrator’s call centre. The legal basis for the processing is the justified interest of the Administrator (Art.6 section 1 letter f of GDPR) consisting in enabling the improvement of the quality of the Administrator’s services.

11 SOCIAL MEDIA

The Administrator processes the personal data of users visiting the Administrator’s profiles as held on the social media (Facebook, YouTube, Instagram, or Twitter). The data are processed solely in connection with the profile, including to advise users of Administrator’s activity and promoting different types of events, services or products. The legal basis for the processing of personal data by the Administrator derives from its justified interest (Art.6 section 1 sub-section f of GDPR) consisting in promoting its own brand.

12 DATA COLLECTON IN OTHER CASES

1. In connection with its activity, the Administrator collects personal data also in other cases linked with the initiation and maintenance of business contacts. The legal basis for the processing derives from the justified interest of the Administrator (Art.6 section 1 letter f of GDPR) consisting in creating a network of contacts in connection with the conducted activity.
2. The personal data in such cases are processed solely for the purpose in which they were collected and the Administrator ensures their adequate protection.

13 DATA RECIPIENTS

1. In connection with the conducting of business activity requiring the processing, personal data are disclosed to third-party entities including in particular suppliers responsible for the service of IT systems and hardware, entities rendering legal or accounting services, couriers, marketing or recruitment agencies. Data may also be disclosed to selected partners of the Administrator, e.g. within the scope of performance of promotional actions in which the data subject is participating.
2. The Administrator reserves the right to disclose selected information concerning the data subject to relevant authorities, services or third parties, which require provision of such information under a relevant legal basis and in conformity with the prevailing legal regulations.

14 PROVISION OF DATA OUTSIDE EEA

1. The level of protection of personal data outside the European Economic Area (EEA) differs from the level ensured by the European law. For this reason, the Administrator provides the personal data outside EEA solely where it is necessary while ensuring adequate security level first and foremost by:
   1. Cooperating with the entities processing the data in the states with respect to which relevant decision of the European Commission has been issued;
   2. In compliance with the standard contractual clauses issued by the European Commission;
   3. In compliance with the binding corporate rules as approved by the relevant supervisory authority;
   4. In the event of data provision to the USA – cooperation with the entities participating in the Privacy Shield programme as approved by the decision of the European Commission.
2. The Administrator shall always provide information on the intention to provide the personal data outside the EEA at the stage of their collection.

15 PERIOD OF PERSONAL DATA PROCESSING

1. The period of personal data processing by the Administrator shall depend on the type of service provided and purpose of processing. The period of personal data processing may also derive from regulations where they constitute the basis for the processing. In the case of personal data processing in connection with the justified interest of the Administrator, e.g. for security reasons, the data is processed for the period enabling the realization of the interest or lodging effective objections to data processing. If the processing is carried out on the basis of consent, the data are processed until withdrawal. Where the processing us based on the necessity to enter into and carry out the agreement, the data are processed until agreement termination.
2. The period of data processing may be extended where the processing is necessary to determine or make claims or to ensure protection against claims and after this period solely in the case and in so far as necessary under the prevailing legal regulations. After the elapse of this period the data will be irreversibly deleted or anonymised.

16 RIGHTS LINKED WITH THE PERSONAL DATA PROCESSING

1. Data subjects shall have the following rights:
   1. Right to receive information on the processing of personal data – based on this information, the individual making the request is provided with the information on the personal data processing by the Administrator, including first and foremost information on the purpose and legal basis of the processing, the scope of data held, entities to whom the information is disclosed and the planned date of data deletion;
   2. The right to receive data copies – on this basis the Administrator provides an electronic copy of the processed data of the enquiring person;
   3. Right to have the data rectified – Administrator shall be required to eliminate any potential inconsistencies or errors int he processed data and supplement them if incomplete;
   4. The right to have the data deleted – on this basis it is possible to require data deletion where their processing is no longer required to realise any of the purposes for which they were collected;
   5. The right to restrict data processing – in the event of such a request, the Administrator discontinues the performance of the operations on personal data – excepting the operations to which the data subject consented – and their storage as per the prevailing retention rules or until the cause of data processing restrictions have been established (e.g. a decision by a supervisory authority has been issued permitting further data processing);
   6. The right to transfer the data – on this basis and within the scope the data are processed in connection with the entered agreement or consent given, the Administrator discloses the data provided by the data subject in the format enabling data reading by the computer. It is also possible to require that the data be disclosed to another entity subject to however that there will be technical possibilities on the Administrator as well as such other entity;
   7. The right to object to the data processing for marketing purposes – the data subject may at any time object to the data processing for marketing purposes without justifying such an objection;
   8. The right to object to other purposes of the processing – the data subject may at any time object to his/her data processing which takes place in connection with the justified interest of the Administrator (e.g. for analytic or statistical purposes or in connection with the property protection); the objection in this regard requires justification;
   9. The right to withdraw the consent – where the data are processed under consent the data subject has the right to withdraw it at any time which shall be without prejudice to the legal nature of the processing prior to withdrawal;
   10. Right to complain – where the processing of personal data is deemed in breach of GDPR or other personal data protection regulations, the data subject may lodge a complaint to the President of the Personal Data Protection Office.

17 MAKING REQUESTS CONNECTED WITH THE EXERCISING OF THE RIGHTS

1. Application concerning the exercising of the right of the data subject may be lodged:
   1. In writing to this address: Szkoła Zdobywców Horyzont Joanna Łączkowska – Jęcek, ul. Wilcza 10, 58-540 Karpacz, by e-mail to this address: ultramaraton3xsniezka@gmail.com
2. If the Administrator fails to identify the applicant under the enquiry, it shall request additional information from the Applicant.
3. The application may be served in person or through a proxy (e.g. family member). For reasons of data safety, Administrator encourages the use of the power of attorney certified by a notary or by an authorised legal counsellor or attorney which will reduce the time necessary to authenticate the genuine nature of the application.
4. Reply to the notification should be granted within one month of its being served. Where necessary to extend the period, the Administrator shall advise the applicant of the causes of delay.
5. The reply is served through traditional post unless the application was made in electronic form or electronic reply was requested.

The data subject may also personally rectify the data or update then and withdraw the previously granted consents to personal data processing or to the provision of marketing information using the portals of the Administrator. To this end an email request should be sent to: ultramaraton3xsniezka@gmail.com.

18 RULES FOR CHARGIN FEES

1. Procedure with respect to the submitted applications is free of charge. Fees may be charged solely where:
   50. A request for the second or addition copies is made (the first data copy is free); in which event the Administrator may charge a fee of PLN 50. The fee covers the administrative expenses connection with the request processing.
   51. Submission by the same person of excessive demands (e.g. uncommonly frequent) or clearly unjustified; in which case the Administrator may charge a fee of PLN 150.
2. The fee covers the costs of communication and other expenses linked with undertaking relevant action.
3. In the event of the fee being questioned by the data subject, he/she may lodge a complaint to the President of the Personal Data Protection Office.

19 AMENDMENTS TO THE PERSONAL DATA PROCERSSING POLICY

This policy is subject to ongoing update and verification.