1. DEFINITIONS
1.1. Controller - Eurocash S.A. with headquarters in Komorniki, ul. Wiśniowa 11, 62-052 Komorniki, or a company from the Eurocash Group, whose current list can be found at the address http://grupaeurocash.pl/grupa-eurocash/nasze-jednostki-i-marki.html
1.2. Personal data - all information about a physical person identified or identifiable by one or more specific factors determining physical, physiological, genetic, psychological, economic, cultural or social identity, including device IP, location data, internet identifier and information collected through cookies and other similar technology.
1.3. Policy - this Privacy policy.
1.4. GDPR - Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and the repeal of Directive 95/46/EC.
1.5. Website - a website maintained by the Controller at http://grupaeurocash.pl/ or others maintained by individual companies from the Eurocash Group. whose current list can be found at the address http://grupaeurocash.pl/grupa-eurocash/nasze-jednostki-i-marki.html
1.6. User - any natural person visiting the Website or using one or several services or functionalities described in this Policy.
2. PROCESSING OF DATA IN CONNECTION WITH THE USE OF THE SERVICE
2.1. In connection with the User's use of the Website, the Controller collects data in the scope necessary to provide particular services offered, as well as information on the User's activity on the Website. The detailed principles and purposes of processing personal data collected during the use of the Website by the User are described below.
3. OBJECTIVES AND LEGAL BASIS FOR PROCESSING DATA ON THE WEBSITE
USING THE WEBSITE
3.1. Personal data of all persons using the Website (including the IP address or other identifiers and information collected via cookies or other similar technologies), and of those not being registered Users (i.e. persons without a profile on the Website) are processed by the Controller:
3.1.1. in order to provide services electronically in the field of making collected content available to Users on the Website - then the legal basis for processing is the necessity to perform the contract (Article 6 para. 1 ( b) of the GDPR);
3.1.2. for analytical and statistical purposes - then the legal basis for processing is the Controller's legitimate interest (Article 6 para. 1 (f) of the GDPR) which involves analyzing the Users' activity, as well as their preferences to improve the functionalities and services provided;
3.1.3. in order to possibly set and enforce claims or defend against them - the legal basis of the processing is the legitimate interest of the Controller (Article 6 para. 1 (f) of the GDPR) consisting in the protection of its rights;
3.1.4. for marketing purposes of the Controller and other entities, in particular related to the presentation of behavioral advertising - the principles of processing personal data for marketing purposes are described in the "MARKETING" section.
3.2. The User's activity on the Website, including his/her personal data, is recorded in system logs (a special computer program used for storing a chronological record containing information on events and activities regarding the IT system used to provide services by the Controller). Information collected in logs is processed primarily for purposes related to the provision of services. The Controller also processes them for technical and administrative purposes, to ensure the security of the IT system and management of this system, as well as for analytical and statistical purposes - in this respect, the legal basis of processing is the legitimate interest of the Controller (Article 6 para. 1 (f) of the GDPR).
REGISTRATION ON THE WEBSITE
3.3. Persons who register on the Website are requested to provide the data necessary to create and service an account. In order to facilitate the service, the User may provide additional data, thereby agreeing to their processing. Such data can be deleted at any time. Providing data marked as mandatory is required to set up and service an account, and failure to do so results in the inability to set up an account. Providing other data is voluntary.
3.4. Personal data is processed:
3.4.1. in order to provide services related to running and servicing an account on the Website - the legal basis for processing is the necessity of processing to perform the contract (Article 6 para.1 (b) of the GDPR), and in the field of optional data provided - the legal basis for processing is consent (Article 6 para.1 (a) of the GDPR);
3.4.2. for analytical and statistical purposes - the legal basis for processing is the Controller's legitimate interest (Article 6 para.1 (f) of the GDPR) of analyzing Users' activity on the Website and the use of the account, as well as their preferences to improve the functionalities used;
3.4.3. in order to possibly establish and enforce claims or defend against them - the legal basis of the processing is the legitimate interest of the Controller (Article 6 para. 1 (f) of the GDPR) consisting in the protection of its rights.
3.4.4. for marketing purposes of the Controller and other entities - the rules for the processing of personal data for marketing purposes are described in the "MARKETING" section.
3.5. If the account on the Website can also be logged into via social networks (e.g. Facebook, G+, Instagram, Twitter), the Website will download from the User's account as part of the social network only data necessary for registration and account servicing. By individually changing the plug-in settings, the User can easily extend the scope of downloaded data with those that may be useful when using the account's functionality on the Website.
3.6. If the User places any personal data of other people on the Website (including their name, address, telephone number or e-mail address), they can do so only on condition that they do not violate applicable law and personal rights of such persons.
PLACING ORDERS (USE OF PAID SERVICES ON THE WEBSITE)
3.7. Placing an order (purchase of goods or services) by the Website User involves the processing of his/her personal data. Providing data marked as mandatory is required in order to accept and service the order, and failure to do so results in the lack of its implementation. Providing other data is optional.
3.8. Personal data is processed:
3.8.1. in order to execute the order - the legal basis for processing is the necessity of processing to perform the contract (Article 6 para.1 (b) of the GDPR); for optional data, the legal basis for processing is consent (Article 6 para. 1 (a) of the GDPR);
3.8.2. in order to fulfill statutory obligations imposed on the Controller, resulting in particular from tax regulations and accounting provisions - the legal basis for processing is a legal obligation (Article 6 para. 1 (c) of the GDPR);
3.8.3. for analytical and statistical purposes - the legal basis for processing is the Controller's legitimate interest (Article 6 para.1 (f) of the GDPR) by analyzing the Users' activity on the Website, as well as their purchase preferences in order to improve the functionalities used;
3.8.4. in order to possibly establish and enforce claims or defend against them - the legal basis of the processing is the legitimate interest of the Controller (Article 6 para.1 (f) of the GDPR) consisting in the protection of its rights.
CONTACT FORM
3.9. The Controller provides the opportunity to contact him using electronic contact forms. Using the form requires providing personal data necessary to contact the User and reply to the request. The User may also provide other data to facilitate contact or service of the inquiry. Providing data marked as mandatory is required in order to receive and service the request, and failure to do so results in a lack of service. Providing other data is voluntary.
3.10. Personal data is processed:
3.10.1. in order to identify the sender and handle his/her inquiry sent by the form provided - the legal basis for processing is the necessity of processing to perform the contract for the provision of the service (Article 6 para. 1 (b) of the GDPR);
3.10.2. for analytical and statistical purposes - the legal basis of the processing is the legitimate interest of the Controller (Article 6 para.1 (f) of the GDPR) which consists in keeping statistics on queries submitted by Users via the Website in order to improve its functionality.
4. MARKETING
4.1. The Controller processes Users' personal data in order to carry out marketing activities, which may consist in:
4.1.1. displaying to the User marketing content that is not adapted to its preferences (contextual advertising);
4.1.2. displaying to the User marketing content corresponding to his/her interests (behavioral advertising);
4.1.3. directing e-mail notifications about interesting offers or content, which in some cases contain commercial information (newsletter service)
4.1.4. conducting other types of activities related to direct marketing of goods and services (sending commercial information by electronic means and telemarketing activities)
4.2. In order to implement marketing activities, the Controller uses profiling in some cases. This means that due to the automatic processing of data, the Controller evaluates selected factors concerning natural persons in order to analyze their behavior or create a forecast for the future.
CONTEXT ADVERTISING
4.3. The Controller processes Users' personal data for marketing purposes in connection with the targeting of Contextual Ads to Users (i.e. advertising that is not suited to the User's preferences). The processing of personal data takes place then in connection with the implementation of the justified interest of the Controller (Article 6 para. 1 (f) of the GDPR.
BEHAVIORAL ADVERTISING
4.4. The Controller and its trusted partners process Users' personal data, including personal data collected through cookies and other similar technologies, for marketing purposes in connection with the targeting of behavioral advertising to Users (i.e. advertising that is tailored to the User's preferences). The processing of personal data also includes profiling of Users. The use of personal data collected through this technology for marketing purposes, in particular in the promotion of services and goods of third parties, requires the User's consent. This consent can be withdrawn at any time.
NEWSLETTER
4.5. The Controller provides the newsletter service on the terms set out in the regulations to persons who have given their e-mail address for this purpose. Providing data is required to provide the newsletter service, and failure to do so results in the inability to send it.
4.6. Personal data is processed:
4.6.1. in order to provide the newsletter service - the legal basis for processing is the necessity of processing to perform the contract (Article 6 para.1(b) of the GDPR);
4.6.2. in case of sending marketing content to the User as part of the newsletter - the legal basis for the processing, including profiling, is the Controller's interest (Article 6 para. 1(f) of the GDPR) and the consent to receive the newsletter;
4.6.3. for analytical and statistical purposes - the legal basis of the processing is a legitimate interest of the Controller, (Article 6 para. 1(f) of the GDPR) involving the analysis of Users' activity on the Website in order to improve the functionalities used;
4.6.4. in order to possibly set and enforce claims or defend them - the legal basis of the processing is the legitimate interest of the Controller (Article 6 para.1(f) of the GDPR).
DIRECT MARKETING
4.7. The User's personal data may also be used by the Controller to direct marketing content to him/her through various channels, i.e. via e-mail, by MMS/SMS or by phone. Such actions are taken by the Controller only upon the User’s consent, which he/she can withdraw at any time.
5. SOCIAL MEDIA
5.1. The Controller processes personal data of Users visiting Controller profiles carried out in social media (e.g. Facebook, YouTube, Instagram, Twitter). These data are processed only in connection with maintaining the profile, including to inform Users about the activity of the Controller and to promote various types of events, services and products. The legal basis for the processing of personal data by the Controller for this purpose is its legitimate interest (Article 6 para. 1(f) of the GDPR), which consists in promoting its own brand.
6. COOKIES AND SIMILAR TECHNOLOGY
6.1. Cookies are small text files installed on the device of the User browsing the Website. Cookies collect information that facilitates the use of the Website - for example, by memorizing the User's visits to the Website and the activities carried out by him/her.
"SERVICE" COOKIES
6.2. The Controller uses the so-called service cookies primarily to provide the User with services provided electronically and to improve the quality of these services. Therefore, the Controller and other entities providing its analytical and statistical services use cookies by storing information or accessing information already stored in the User's telecommunications terminal equipment (computer, telephone, tablet, etc.). Cookies used for this purpose include:
6.2.1. user input cookies with data entered by the User (session id) for the duration of the session;
6.2.2. authentication cookies used for services requiring authentication for the duration of the session;
6.2.3. user centric security cookies used to ensure security, e.g. used to detect user centric security;
6.2.4. multimedia player session cookies for multimedia players (e.g. flash player cookies), for the duration of the session;
6.2.5. user interface customization cookies - permanent cookies used to personalize the User interface for the duration of the session or a bit longer,
6.2.6. cookies used to monitor traffic on the website, i.e. data analytics, including Google Analytics cookies (these are files used by Google to analyze how the User uses the Website, to create statistics and reports on the operation of the Website). Google does not use the collected data to identify you or link this information to enable identification. Detailed information about the scope and rules of data collection in connection with this service can be found at: https://www.google.com/intl/pl/policies/privacy/partners.
"MARKETING" COOKIES
6.3. The Controller and his trusted partners also use cookies for marketing purposes, including in connection with the targeting of behavioral advertising to Users. For this purpose, the Controller and trusted partners store information or access information already stored in the User's telecommunications terminal device (computer, telephone, tablet, etc.). The use of cookies and personal data collected through them for marketing purposes, in particular as regards the promotion of services and goods of third parties, requires the User's consent. This consent can be withdrawn at any time.
7. PERIOD OF PROCESSING OF PERSONAL DATA
7.1. The period of data processing by the Controller depends on the type of service provided and the purpose of the processing. As a rule, the data is processed by the time the service is provided or the order is being processed, until the consent is withdrawn or the effective opposition to data processing is filed in cases where the legal basis for data processing is the Controller's legitimate interest.
7.2. The data processing period may be extended if the processing is necessary to establish and assert any claims or defend against them, and after that time only if and to the extent required by law. After the end of the processing period, the data is irreversibly deleted or anonymized.
8. USER RIGHTS
8.1. The User has the right to: access the data contents and demand their rectification, deletion, processing restrictions, the right to transfer data and the right to object to the processing of data, as well as the right to lodge a complaint to the supervisory body dealing with the protection of personal data.
8.2. To the extent that User's data are processed on the basis of consent, it can be withdrawn at any time by contacting the Controller.
8.3. The User has the right to object to the processing of data for marketing purposes, if the processing takes place in relation to the justified interest of the Controller, and - for reasons related to the special situation of the User - in other cases where the legal basis for data processing is the Controller's interest (e.g. in connection with the implementation of analytical and statistical objectives).
9. DATA RECIPIENTS
9.1. In connection with the implementation of services, personal data will be disclosed to external entities, including in particular suppliers responsible for the operation of IT systems, entities such as banks and payment operators, entities providing accounting services, couriers (in connection with the implementation of the contract), marketing agencies (in the scope of marketing services) and entities associated with the Controller, including companies from its capital group.
9.2. If the User agrees, his/her data may also be made available to other entities for their own purposes, including marketing purposes.
9.3. The Controller reserves the right to disclose selected information about the User to the competent authorities or third parties who submit a request for such information, based on an appropriate legal basis and in accordance with applicable law.
10. TRANSMISSION OF DATA OUTSIDE THE EEA
10.1. The level of protection of personal data outside the European Economic Area (EEA) differs from that provided by European law. For this reason, the Controller transfers personal data outside the EEA only when it is necessary and with an adequate level of protection, primarily through:
10.1.1. cooperation with entities processing personal data in countries for which an appropriate decision of the European Commission has been issued;
10.1.2. use of standard contractual clauses issued by the European Commission;
10.1.3. applying binding corporate rules, approved by the competent supervisory authority;
10.1.4. in the event of data transfer to the USA - cooperation with entities participating in the Privacy Shield program, approved by the European Commission.
10.2. The Controller always informs about the intention to transfer personal data outside the EEA at the collection stage.
11. SECURITY OF PERSONAL DATA
11.1. The Controller conducts risk analysis on an ongoing basis to ensure that personal data is processed in a secure manner - ensuring, above all, that only authorized persons have access to the data and only to the extent that it is necessary due to the tasks performed by them. The Controller makes sure that all operations on personal data are recorded and made only by authorized employees and associates.
11.2. The Controller undertakes all necessary actions, so that its subcontractors and other cooperating entities would guarantee that appropriate security measures will be applied whenever they process personal data at the request of the Controller.
12. CONTACT DETAILS
12.1. Contact with the Controller is possible via the e-mail address eurocash@eurocash.pl or via the mailing address.
12.2. The Controller has appointed the Data Protection Officer in the person of Jan Domański, who can be contacted via e-mail or by phone in any matter regarding the processing of personal data. For Eurocash SA, this is the address iod_ec@eurocash.pl and phone number 0-61 333 2274. The current list of contacts to the Data Protection Officer can be found at this link. Contact details of DPO (IOD)
13. CHANGES IN THE PRIVACY POLICY
13.1. The policy is verified on an ongoing basis and updated if necessary. The current version of the Policy has been adopted and is valid from 24/05/2018.