Facebook-f Youtube PolskiPolskiDeutschDeutsch
Home Privacy policy

Privacy policy

PRIVACY AND COOKIE POLICY

  1. GENERAL INFORMATION AND DECLARATIONS

This document (hereinafter also referred to as: ‘Privacy Policy’ or ‘Policy’) sets out the privacy policy for the website operated at: www.sevra.pl, as well as the rules for the processing of personal data in connection with legal relationships established by the Administrator resulting from contracts, orders and deliveries, in particular Sales Agreements concluded by the Administrator, unless separate regulations are provided for a given legal relationship.

In the further part of this document, the website www.sevra.pl will also be referred to as: ‘Website’ or ‘Internet Website’.

The administrator of the personal data of the Website users and Customers is Wienkra spółka z ograniczoną odpowiedzialnością with its registered office in Krakow, at ul. Kotlarska 34, 31-539 Krakow, entered in the Register of Entrepreneurs of the National Court Register kept by the District Court for Krakow-Śródmieście in Krakow, 11th Commercial Division of the National Court Register under KRS number: 0000135860, NIP 6790005643, REGON: 350008743, share capital of PLN 50,000.00 (hereinafter referred to as: ‘Administrator’ or ‘Personal Data Administrator’ or ‘Wienkra’).

Other capitalised terms have the meanings given to them in the General Terms and Conditions of Sale and Delivery of Goods by Wienkra sp. z o.o., available on the Website (hereinafter also referred to as: ‘GTCSD’).

Users within the meaning of this document shall be understood as all visitors to the Website, unless the context indicates otherwise.

The Privacy Policy is available at all times on the Website in a manner that allows its content to be obtained, reproduced and recorded by printing or saving it on a medium at any time.

Personal data collected by the Administrator is processed in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L 119, p. 1), hereinafter referred to as: ‘GDPR’.

The services provided by the Administrator are not intended for children under 16 years of age. The personal data controller does not intend to collect data relating to children under 16 years of age.

The Administrator makes every effort to protect the privacy and information provided to it or collected by it, primarily concerning users of the Website and Customers. The Administrator selects and applies appropriate technical measures with due diligence, including in particular programming and organisational measures, to ensure the protection of the data being processed, in particular, protects the data against unauthorised access, disclosure, loss and destruction, unauthorised modification, as well as against processing in violation of applicable law.

The Website may use so-called plug-ins and other social media tools, including, in particular, those enabling the user to go directly to the Administrator’s social media profiles, such as Facebook.com, YouTube.com or Linkedin.com. The providers of these services may also process personal data as independent controllers.

  1. CONTACT WITH THE ADMINISTRATOR

The Administrator can be contacted in matters relating to personal data by:

  • e-mail, at the following e-mail address: rodo@wienkra.pl;
  • traditional mail, sent to the following address: ul. Kotlarska 34, 31-539 Kraków;
  • telephone, at the number: +48 505600630;
  • electronic contact form available on the Website.
  • PERSONAL DATA – PURPOSES AND BASIS FOR THE PROCESSING OF PERSONAL DATA

Purposes and legal bases for the processing of personal data related to the conclusion and performance of Sales Agreements, the operation of the Website and the provision of services/access to the functionality of the Website

The personal data controller processes personal data for the following purposes and to the extent specified below, and on the basis of the following legal provisions:

  1. Basis: Personal data processed on the basis of Article 6(1)(b) of the GDPR – i.e. for the purposes of performing a contract, as well as for taking steps at the request of the data subject prior to entering into a contract, and where processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party – The controller processes personal data on the basis of Article 6(1)(f) of the GDPR.

Purpose and scope: On this basis, the Controller processes data for the following purpose and to the following extent:

  • to contact the data subject at their request in order to present an offer or other information, arrange a meeting with an installer, or enable such person to place an Order for Goods and conclude a Sales Agreement. For this purpose, the data collected or provided by the data subject when establishing contact, in particular in the relevant forms on the Website, as well as data provided during telephone or e-mail contact, such as name and surname, e-mail address, address, telephone number, IP address, are processed;
  • conclusion and performance of the Contract for the sale of Goods, including for the purpose of performing the Contract, delivery of Goods, processing payments – for this purpose, in particular, personal data provided by the data subject when placing an Order (regardless of the form/method of placing the Order) or other data provided for the purpose of fulfilling the Order and the Sales Agreement, in particular such as: first and last name, email address, address details, payment details, company identification numbers (e.g. tax identification number), or data provided or collected in the Order form;
  • the provision of services to a given person and the provision of the Website’s functionality, including functionality and services that do not require any contact, e.g. browsing the Website’s pages, content search engine. For this purpose, the Controller processes personal data relating to the activity of such a person on the Website, i.e. data relating to the content viewed by them, information about the Goods or the functionalities of the Website used, data relating to the user’s device session, operating system, browser, location and unique ID and IP address;

Legitimate interest of the Controller: In the case of personal data processing for the above purposes, the legitimate interest pursued by the Controller consists in: building and maintaining positive relations with data subjects, including in particular responding to their enquiries and contacting them, as well as building and maintaining the proper image of the Controller itself and developing and improving the standard of the activities and services provided by the Controller;

  1. Basis: Where processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, the Controller shall process personal data on the basis of Article 6(1)(f) of the GDPR.

Purpose and scope: On this basis, the Administrator processes data for the following purpose and scope:

  • determining the scope and keeping statistics on the use of the Website, facilitating or otherwise optimising the use of the Website and its services and functionalities, or ensuring the IT security of the Website and its functionalities. For this purpose, the Administrator processes, in particular, personal data relating to user activity on the Website, including, among other things, the amount of time spent on each subpage, search history, clicks, location, IP address, device ID, data relating to the user’s web browser and operating system;
  • in order to establish, pursue and enforce claims and defend against claims in court proceedings and before other authorities, including enforcement authorities – for this purpose, the Administrator may process, in particular, personal data provided by the data subject for the purposes of concluding and performing the Sales Agreement, data provided by the user on the Website, data obtained during contact with the Administrator, including primarily data provided in forms available on the Website and other data necessary to prove the existence of a claim or which result from a legal requirement, court order or other legal procedure;

Legitimate interest of the Administrator: In the case of personal data processing for the above purposes, the legitimate interest pursued by the Administrator consists in: the possibility of establishing, pursuing and enforcing claims and defending against claims in proceedings before courts and other state authorities, improving the level of services and activities and the efficiency and security of the Website, as well as building and maintaining positive relations with users and Customers.

  1. Basis: where processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, and where the processing of personal data also requires the consent of the data subject – on the basis of that consent – i.e. pursuant to Article 6(1)(f) of the GDPR and pursuant to Article 6(1)(a) of the GDPR. However, where personal data are processed for the performance of a contract, as well as for taking steps at the request of the data subject prior to entering into a contract – pursuant to Article 6(1)(b) of the GDPR.

Additionally, in the case of certain marketing activities, including the sending of commercial/marketing information or other similar types of communication, in particular those subject to the legal regulations specified herein, the basis for the processing of personal data is also the regulation contained in the Electronic Communications Law of 12 July 2024 (Journal of Laws of 2024, item 1221).

Purpose and scope: On this basis, the Administrator processes data for the following purpose and scope:

  • marketing of the Administrator’s products and services and the products and services of the Administrator’s partners, including remarketing – for this purpose, the Administrator mainly processes personal data provided by the data subject, including in forms on the Website, data on the data subject’s activity on the Website, including data that is recorded and stored via cookies, in particular the history of activity and actions on the Website, including the history and activity related to communication with the Administrator, and in the case of users who are also Customers, also data relating to Orders and Sales Agreements, as well as data provided when placing an Order and for the purposes of and in connection with the conclusion of a Sales Agreement. In the case of remarketing, the Administrator also uses data about the activity of the data subject in order to reach them with marketing communications, including dedicated content outside the Website. For this purpose, the Administrator may use the services of external providers who provide specific mechanisms. These services consist in particular of displaying the Administrator’s messages on websites other than the Website. Details on this subject can also be found in the provisions on cookies, further in this document;
  • the use of cookies by the Administrator on the Website. Depending on the type (category of cookies), the basis for the processing of personal data is different, i.e. necessary cookies – the basis is Article 6(1)(f) of the GDPR and Article 6(1)(b) of the GDPR. In the case of cookies in the Statistics and Analysis and Marketing categories, the basis is Article 6(1)(a) of the GDPR. If the Controller has not categorised a cookie, the basis is also Article 6(1)(a) of the GDPR. More information on this subject can be found in the provisions on cookies set out later in this document, which regulate the use of these files;
  • for market research, opinion polling, measurement and statistics by the Controller or its partners – for this purpose, the Controller uses, in particular, data relating to Orders and Sales Agreements, data provided by the Website user on the Website, including, in particular, in individual forms on the Website, and data relating to the user’s behaviour when visiting the Website. Detailed instructions are provided in the information about a given survey, form or in the place where the data subject enters their data.

Legitimate interest of the Administrator: In the case of personal data processing for the above purposes, the legitimate interest pursued by the Administrator, where it is the basis for processing, consists in: the possibility of informing about the Administrator’s offer, including in particular the products and services offered, and building a positive image, direct marketing of products and services, as well as ensuring the most optimal use of the functionality of the Website and its pages in general and improving their level and security, as well as optimising and changing the Administrator’s offer.

  1. Basis: performance of a contract, as well as where processing is necessary for the purposes of the legitimate interests pursued by the Administrator or by a third party – the legitimate interest of the administrator, i.e. pursuant to Article 6(1)(f) of the GDPR and Article 6(1)(b) of the GDPR.

Purpose and scope: On this basis, the Administrator processes data for the following purpose and scope:

  • considering complaints, claims and requests and responding to questions from users and Customers and end users of the Goods – for this purpose, the Controller primarily processes personal data provided in the contact form and in other electronic forms on the Website, in emails, SMS correspondence, complaints, claims and requests, and questions submitted in other forms. For this purpose, the Administrator processes data relating to Orders and Sales Agreements and other services provided by the Administrator which are the subject of complaints, claims or requests, questions and data contained in documents attached to complaints, claims, requests and questions;
  • organisation and conduct of competitions, promotions, loyalty programmes and similar campaigns, promotional events, including notifications of points collected or benefits received, notifying winners and advertising the Administrator’s offer – for this purpose, the Administrator uses in particular the personal data provided by the person when joining or registering for a competition, promotion, programme or other campaign. Detailed information on this subject is provided each time in the terms and conditions of participation in a given competition, promotion, programme or campaign;

Legitimate interest of the Administrator: In the case of personal data processing for the above purposes, the legitimate interest pursued by the Administrator consists in the possibility of lawfully considering complaints, responding to comments or questions from users, as well as improving the level of services provided and building positive relationships with them.

  1. Basis: when data processing is necessary for the fulfilment of a legal obligation incumbent on the Administrator, i.e. pursuant to Article 6(1)(c) of the GDPR – in particular consisting in the fulfilment by the Administrator of legal obligations imposed by tax law/accounting regulations, in particular in connection with the settlement of Orders, competitions, promotions, loyalty programmes or similar campaigns. For this purpose, the personal data provided for the purpose of placing and settling an Order and performing the Order and the Sales Agreement, as well as the data provided by the user or Customer when joining a loyalty programme, competition, promotion or similar campaign, are processed in accordance with its rules.

Other/remaining purposes and legal bases for the processing of personal data

  1. Basis: performance of the contract, as well as in cases where data processing is necessary for purposes arising from legitimate interests pursued by the Controller or by a third party – legitimate interest of the controller, i.e. pursuant to Article 6(1)(f) of the GDPR and pursuant to Article 6(1)(b) of the GDPR (for the purposes of performing a contract, as well as taking steps at the request of the data subject prior to entering into a contract).

Purpose and scope: For this purpose, the Controller processes personal data (in particular: identifiers, content of comments, opinions) relating to persons (users) visiting profiles maintained by the Controller on social media or other websites (e.g. Facebook, YouTube, LinkedIn). Personal data is processed for the purpose of maintaining such profiles and providing information about the Administrator’s activities or sharing opinions expressed about the Administrator.

Legitimate interest of the Administrator: building the image of the Administrator, informing about its activities, as well as building positive relationships with users, and the possibility of pursuing or defending against possible claims, with the proviso that this Privacy Policy does not constitute a regulation related to the processing of personal data by the administrators of the above-mentioned websites or social media.

  1. Basis: performance of a contract, as well as where processing is necessary for the purposes of the legitimate interests pursued by the Administrator or by a third party – legitimate interest of the administrator, i.e. pursuant to: Article 6(1)(f) of the GDPR and Article 6(1)(b) of the GDPR.

Purpose and scope: Processing of personal data of members of the staff of contractors, partners or customers cooperating with the Administrator.

In connection with the conclusion of contracts within the scope of its business activities, the Administrator obtains data and receives from customers or contractors data of persons involved in the performance of such contracts (e.g. persons authorised to contact, cooperating in the performance of services, etc.). The scope of the data transferred is in each case limited to the extent necessary for the performance of the contract and does not usually include information other than name and contact details (business e-mail or telephone number).

Legitimate interest of the Controller: The above personal data is processed for the purpose of pursuing the legitimate interest of the Controller and its contractor (where processing is based on this basis) consisting in enabling the proper and effective performance of the contract.

Such data may be disclosed to third parties involved in the performance of the contract.

  1. Basis: performance of the contract, as well as where processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party – legitimate interest of the controller, i.e. on the basis of: Article 6(1)(f) of the GDPR and Article 6(1)(b) of the GDPR;

Purpose and scope: Processing of data collected in the course of business contacts.

In connection with its activities, the Controller also collects personal data in other cases, e.g. during business meetings, for purposes related to initiating and maintaining business contacts.

Personal data collected in such cases is processed only for the purpose for which it was collected, and the Controller ensures its adequate protection.

Legitimate interest of the Controller: networking, building relationships, maintaining a positive image in connection with its business activities.

  1. Basis: performance of the Agreement, i.e. Article 6(1)(b) of the GDPR, as well as where processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, i.e. the legitimate interest of the Controller, pursuant to Article 6(1)(f) of the GDPR.
  2. Purpose and scope: Organisation of events and training courses.

In connection with the organisation of events, including online events or training courses, the Controller obtains personal data from persons who register for events or training courses and participate in them. The scope of the data transferred is in each case limited to the extent necessary for the organisation of the event and does not usually include information other than the participant’s name and email address.

Such personal data is processed for the purpose of identifying participants in the event/training, contacting them and handling their participation in the event or training.

Personal data will also be processed for purposes related to surveying satisfaction with participation in the event or training, for statistical purposes or for providing participants with appropriate confirmations of participation, certificates, etc.

Events or training courses may be recorded – in such a case, participants will be informed of this fact, in particular in a message displayed within the tool used by the Controller to organise the event or online training course or by informing them before the start of the training course or stationary event. Recordings may be made available in particular to event participants.

Legitimate interest of the Administrator: organisation of the event in connection with the submitted registration for participation in the event, as well as collecting information and conducting analyses related to the satisfaction survey regarding participation in the event or training and for general statistical purposes.

  1. Legal basis: data processing is necessary for compliance with a legal obligation to which the Controller is subject, i.e. pursuant to Article 6(1)(c) of the GDPR, and the data subject has given consent to the processing of his or her personal data for one or more specific purposes, i.e. pursuant to Article 6(1)(a) of the GDPR, and processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract, i.e. pursuant to Article 6(1)(b) of the GDPR, and when processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party – legitimate interest of the controller, i.e. pursuant to Article 6(1)(f) of the GDPR.

Purpose and scope: Conducting recruitment processes and employment.

As part of the recruitment processes, the Controller expects personal data (e.g. in application documents such as CVs or resumes) to be provided only to the extent specified in the provisions of labour law. Therefore, no further information should be provided. If the applications submitted contain additional data beyond the scope specified by labour law, their processing will be based on the candidate’s consent (Article 6(1)(a) of the GDPR), expressed through an unambiguous confirmatory action, which is the submission of application documents by the candidate. If the applications sent contain information that is not relevant to the purpose of recruitment, they will not be used or taken into account in the recruitment process.

Personal data is processed depending on the specific form of employment and includes:

  • if the preferred form of employment is an employment contract – for the purpose of performing obligations arising from legal provisions related to the employment process, including in particular the Labour Code – the legal basis for processing is the legal obligation incumbent on the Controller (Article 6(1)(c) of the GDPR in conjunction with the provisions of the Labour Code);
  • if the preferred form of employment is a civil law contract – for the purpose of conducting the recruitment process – the legal basis for the processing of data contained in the application documents is the taking of steps prior to entering into a contract at the request of the data subject (Article 6(1)(b) of the GDPR);
  • for the purpose of conducting the recruitment process with regard to data not required by law or by the Controller, as well as for future recruitment processes – the legal basis for processing is consent (Article 6(1)(a) of the GDPR);
  • in order to verify the qualifications and skills of candidates and to determine the terms of cooperation – the legal basis for data processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR).
  • in order to establish or pursue any claims by the Administrator or defend against claims made against the Administrator – the legal basis for data processing is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR);
  • To the extent that personal data is processed on the basis of consent, it may be withdrawn at any time without affecting the lawfulness of the processing carried out prior to its withdrawal. If consent is given for future recruitment processes, personal data shall be deleted no later than after two years, unless consent is withdrawn earlier.

The provision of data within the scope specified in Article 22(1) of the Labour Code is required – if the candidate prefers employment based on an employment contract – by law, including in particular the Labour Code, and if the candidate prefers employment based on a civil law contract – by the Controller. Failure to provide this data will result in the inability to consider the candidate in the recruitment process. Providing other data is voluntary.

Legitimate interest of the Administrator: where, in the above cases, the legal basis for data processing is the legitimate interest of the Administrator, this interest consists in particular in: establishing or pursuing possible claims by the Administrator, or defending against claims made against the Administrator, verifying job candidates and determining the terms of possible cooperation.

  1. PERSONALISED ADVERTISEMENTS AND SOCIAL MEDIA PLUGINS

The Administrator may use personal data to prepare and present personalised advertisements to users visiting the Website, including through the use of third-party tools and cookies. Further information on this subject can be found in the provisions on cookies later in this Policy.

Due to the possibility of using so-called social plugins and other similarly functioning social tools on the Website, including those enabling the user to go directly to profiles maintained by the Administrator on social media, such as Facebook.com, Linkedin.com, YouTube.com. The providers of these services may also process personal data as independent controllers. Detailed rules for the processing of personal data by social media controllers can be found on the websites of the individual services.

When you visit the Website, your browser may connect directly to the servers of the entities providing these plugins/tools, which means that these entities receive information about your use of the Website, including your IP address. Such information may be transmitted regardless of whether the user has an account with such an entity and whether they are currently logged in to it. If the user has an account with such an entity and is logged in to it, this information may also be linked and assigned to their account on the social networking site. Certain content may also be published as part of the user’s profile on social networking sites and visible to other users of such sites, including in particular those with whom they have established relationships.

If the user does not want plug-in/tool providers/social networking sites to assign their data collected during their visit to the Website to their profile with the provider, they should log out of the social networking site before visiting the Website. The user may also prevent plugins from loading on the website by using the appropriate mechanisms within the browser they are using, in accordance with its settings.

The Administrator endeavours to exercise all due care in selecting only software, including the above-mentioned plugins, from reputable entities that broadly define their personal data protection policies.

The purposes, scope and rules for the collection and further processing of personal data by these entities can be found in their privacy policies. The administrator encourages you to read them, including at the following addresses:

http://www.facebook.com/policy.php;

https://privacycenter.instagram.com/policy/?entry_point=ig_help_center_data_policy_redirect;

https://pl.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy;

https://policies.google.com/privacy?hl=pl.

  1. CATEGORIES OF RELEVANT PERSONAL DATA

The personal data controller processes the following categories of relevant personal data:

  • data relating to Orders and Sales Agreements;
  • billing data;
  • contact details, including data indicated/provided in the contact forms available on the Website;
  • data relating to activity on the Website;
  • data relating to the services and functionalities used by the Website user;
  • data relating to complaints, claims and requests;
  • data relating to marketing services;
  • data relating to user activity on social networking sites where the Controller has profiles/accounts;
  • data relating to training participants;
  • data relating to contractors or partners;
  • data of employees, associates;
  • candidate data.
  1. VOLUNTARY PROVISION OF PERSONAL DATA

The provision of data by the data subject for the purpose of presenting an offer, placing an Order and concluding a Sales Agreement or for the purpose of contacting the Administrator is voluntary and constitutes a condition for the conclusion of a Sales Agreement and/or the provision of services by the Administrator.

The provision of certain data is a condition for using specific services and functionalities of the Website. The system automatically marks mandatory data. Failure to provide this data will result in the inability of the Website to provide certain services and functionalities of the Website. Apart from data marked as mandatory, the provision of other personal data is voluntary.

  • DATA PROCESSING TIME

Personal data will be processed by the Administrator, as a rule, for the period necessary to fulfil Orders and Sales Agreements, services, marketing activities and other services performed for the Customer and the Website user. The period of data processing by the Administrator depends on the type of service provided and the purpose of processing.

The period of data processing may also result from generally applicable law, where it constitutes the basis for processing. Personal data will be deleted in the following cases:

  • when the data subject requests their deletion or withdraws their consent;
  • when the data subject has not taken any action for more than 10 years (inactive contact);
  • upon obtaining information that the stored data is outdated or inaccurate;
  • when the data subject effectively objects to the processing of their personal data by the Controller, where the basis for the processing of personal data is the legitimate interest of the Controller.

Some data may be processed for as long as it is necessary to pursue any claims or defend against claims, for evidence purposes, both in relation to claims related to Sales Agreements concluded and services provided by the Controller through the Website, as well as for the purposes of handling complaints, claims or other requests – until the expiry of the limitation period for claims. This data will not be used by the Administrator for marketing purposes.

Data relating to Orders/Sales Agreements for Goods, competitions, promotions, loyalty programmes or similar campaigns, to the extent necessary for bookkeeping and accounting purposes, will be stored for the period necessary under generally applicable law, including in particular accounting and bookkeeping regulations.

Data collected through cookies, other internet identifiers and similar mechanisms shall be stored by the Administrator for a period corresponding to the lifetime of cookies stored on devices or until they are deleted from the user’s device by the user. Details on the lifetime of a given cookie can be found in the provisions on cookies set out later in this document.

  • RECIPIENTS OF PERSONAL DATA

In accordance with Article 4 of the GDPR, a recipient is understood to be a natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether or not they are a third party.

Due to the purposes of personal data processing indicated by the Controller, including the provision of electronic services, personal data processed by the Controller may be transferred to the following categories of recipients:

  1. state authorities, e.g. the public prosecutor’s office, the Police, the President of the Personal Data Protection Office (PUODO), if they request this from the Controller, indicating the legal basis for their requests;
  2. service providers with whom the Administrator cooperates, in particular in the performance of sales agreements or enabling payments, as well as to enable the use of the Website, the operation and maintenance of the Website’s IT resources, and entities providing accounting services to the Administrator. Depending on contractual arrangements and circumstances, these entities act on behalf of the Administrator or independently determine the purposes and means of processing;
  3. personal data may also be transferred to other entities – suppliers of tools whose cookies are used. Information about these entities and the purposes of using cookies is contained in the further provisions of this document.

A detailed list of suppliers may be made available by the Administrator at the request of the data subject.

The above-mentioned suppliers are mainly based in countries of the European Economic Area (EEA). The personal data controller may commission specific activities to recognised subcontractors operating outside the EEA. Personal data transferred outside the EEA will be protected by appropriate legal safeguards so that the recipients guarantee a high level of personal data protection. These guarantees result in particular from the obligation to apply standard contractual clauses adopted by the Commission (EU) or binding corporate rules duly approved by a supervisory authority within the meaning of the GDPR. The manner in which data is secured complies with the principles set out in Chapter V of the GDPR. The data subject may request the Controller to provide additional information on the security measures applied in this regard, obtain a copy of these measures and information on where they are disclosed. In addition, the Controller will inform the data subject of its intention to transfer personal data outside the EEA at the stage of collecting personal data.

  1. AUTOMATED DECISION-MAKING

The Controller takes measures within the Website to monitor the activity of its users (visitors to the Website) and analyse such activity, but does not make automated decisions with significant effects within the meaning of the GDPR, including profiling. Information on personalised advertising can be found further in this document in the section on cookies.

  1. RIGHTS OF THE DATA SUBJECT

Under the GDPR, the data subject has the right to:

  • request access to their personal data;
  • request the rectification of their personal data;
  • request the erasure of their personal data;
  • request the restriction of the processing of their personal data;
  • object to the processing of their personal data;
  • request the transfer of their personal data;
  • withdraw consent to the processing of personal data; and
  • lodge a complaint with a supervisory authority.

Details of individual rights:

  1. right of access to personal data (Article 15 of the GDPR).

The data subject may obtain from the Controller information as to whether their data is being processed and, if so, has the right to:

  • access the data;
  • obtain information about the purposes of the processing, the categories of personal data being processed, the recipients or categories of recipients of the data, the envisaged period for which the personal data will be stored, or the criteria for determining that period, the existence of the right to lodge a complaint with a supervisory authority, the source of the personal data, the existence of automated decision-making, including profiling, and the measures taken to protect the personal data if they are transferred outside the European Union;
  • obtain a copy of their personal data.
    1. the right to rectify personal data (Article 16 of the GDPR).

If personal data is incorrect, the data subject may request the Controller to rectify it without delay. They may also request the Controller to supplement this data.

  1. the right to erasure of personal data, the so-called ‘right to be forgotten’ (Article 17 of the GDPR)

The data subject may request this when:

  • their personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
  • they have withdrawn their consent to the extent that the personal data were processed based on their consent;
  • their personal data have been processed unlawfully;
  • they have objected to the processing of personal data for direct marketing purposes, including profiling, to the extent that the processing of personal data is related to direct marketing;
  • objected to the processing of their personal data in connection with processing necessary for the performance of a task carried out in the public interest or processing necessary for the purposes of the legitimate interests pursued by the Controller or a third party.

Despite the request to delete personal data, the Controller may continue to process the data for the purpose of establishing, pursuing or defending claims, of which the person who made the request will be informed.

  1. the right to request restriction of personal data processing (Article 18 of the GDPR).

The data subject may request this when:

  • they contest the accuracy of their personal data – the personal data controller will restrict the processing of their personal data for a period enabling the accuracy of the data to be verified;
  • the processing of their data is unlawful and, instead of erasure, the data subject requests restriction of processing of their personal data;
  • their personal data is no longer needed for processing, but is needed to establish, pursue or defend claims;
  • they have objected to the processing of personal data – until it is determined whether the legitimate interests of the personal data controller override the grounds indicated in their objection.
  1. the right to object to the processing of personal data (Article 21 of the GDPR).

The data subject may object at any time to the processing of their personal data, including profiling, in relation to:

  • processing necessary for the performance of a task carried out in the public interest or processing necessary for the purposes of the legitimate interests pursued by the Controller or a third party;
  • processing for direct marketing purposes, if applicable.
  1. the right to request the transfer of personal data (Article 20 of the GDPR).

The data subject has the right to receive their personal data from the Controller in a structured, commonly used and machine-readable format and to transmit it to another personal data controller or request that the Controller transmit their personal data directly to another controller (if technically possible).

  1. Right to withdraw consent to the processing of personal data.

The data subject may do so at any time. This does not affect the lawfulness of the processing carried out on the basis of their consent prior to its withdrawal.

  1. Right to lodge a complaint with a supervisory authority.

If the data subject believes that the processing of their personal data violates the GDPR, they have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, their place of work or the place of the alleged infringement.

In Poland, the supervisory authority responsible for personal data protection is the President of the Personal Data Protection Office (PUODO).

How to exercise your rights:

You can exercise all your rights by contacting the Controller at the contact details provided in this Policy.

The Controller shall, without undue delay, and in any event within one month of receiving the request, provide information on the actions taken in response to the request submitted by the data subject. If necessary, the one-month period may be extended by a further two months due to the complex nature of the request or the number of requests. In any case, the Administrator shall inform the person of such extension within one month of receiving the request, stating the reasons for the delay.

  1. WHISTLEBLOWER PROTECTION – DETAILED REGULATIONS ON THE PROCESSING OF PERSONAL DATA
  • INTRODUCTORY PROVISIONS:
  1. This chapter sets out the privacy policy in connection with the introduction of internal procedures for the protection of whistleblowers at Wienkra, in accordance with the provisions of the Act of 14 June 2024 on the protection of whistleblowers (Journal of Laws, item 928) (hereinafter referred to as the ‘Act’).
  2. The controller of personal data of whistleblowers, persons related to whistleblowers, persons assisting whistleblowers, and persons concerned by internal reports is Wienkra.
  3. The personal data controller can be contacted in the manner specified in Chapter 2 of this Policy, using the following contact details:
    1. by telephone at: +48 505 600 630;
    2. by email at: nowak@wienkra.pl.
  • OBLIGATIONS OF THE CONTROLLER:
  1. The Controller shall select and apply appropriate technical measures, including in particular programming and organisational measures, with due care to ensure the protection of the data being processed, in particular to protect the data against unauthorised access, disclosure, loss and destruction, unauthorised modification, as well as processing in violation of applicable law.
  2. The personal data controller ensures that access to personal data contained in the report is restricted to persons who have been authorised in writing by the controller to process such data. These persons are obliged to maintain the confidentiality of the information and personal data they obtain in the course of their duties related to the handling of whistleblowers, such as receiving and verifying reports and taking follow-up action.
  3. The personal data controller informs the whistleblower who made the report about the rules for the protection of their personal data.
  • HANDLING OF INTERNAL REPORTS:
  1. The unit authorised to receive internal reports within the Wienkra organisation is the Reporting Officer.
  2. An internal report may be made in particular:
    1. Verbally – via a dedicated hotline at: +48 538 562 321. Verbal reports are documented by the Reporting Officer in the form of a conversation log, which accurately reflects the course of the conversation. The whistleblower may check, correct and approve the transcript of the conversation or the conversation log by signing them;
    2. Verbally – at the Whistleblower’s request, an Internal Report may be made during a direct meeting with the Reporting Officer. A meeting with the Reporting Officer will be arranged within 14 days of the Whistleblower submitting their request using one of the Reporting Channels indicated in this paragraph. During the meeting, with the express consent of the Whistleblower, the Reporting Officer shall draw up a report. If the Whistleblower consents to the preparation of the report, they shall have the right to review, correct and approve the report by signing it.
  3. The Entity does not provide for the possibility of making an Internal Report anonymously by sending a report to an email address.
  4. The Whistleblower should familiarise themselves with the rules on the protection of personal data of whistleblowers contained in this document.

    5. Obtaining the Whistleblower’s consent to disclose their identity is not required in situations where disclosure of identity is necessary and proportionate as an obligation under the law,

  5. in connection with investigations conducted by public authorities, as well as preparatory or court proceedings conducted by courts, including to guarantee the right of defence of the person concerned by the report.
  • PURPOSES AND BASIS FOR THE PROCESSING OF PERSONAL DATA BY THE CONTROLLER:

The Personal Data Controller processes the personal data of whistleblowers for the following purposes and on the following bases:

  1. To fulfil the legal obligations incumbent on the Controller – pursuant to Article 6(1)(c) of the GDPR – in particular to accept reports, conduct investigations and take follow-up action in connection with the Whistleblower Protection Act of 14 June 2024 (Journal of Laws, item 928).
  2. establishing, pursuing and enforcing claims and defending against claims in court proceedings and before other enforcement authorities. For this purpose, the Controller may process personal data of whistleblowers necessary to prove the existence of a claim or which result from a legal requirement, court order or other legal procedure – pursuant to Article 6(1)(f) of the GDPR – i.e. processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, where the legitimate interest pursued by the Controller is to establish and pursue such claims and defend against claims;
  3. internal administrative purposes of the personal data controller, including resource management, statistics and internal reporting of the personal data controller pursuant to Article 6(1)(f) of the GDPR – i.e. processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, where the legitimate interest pursued by the Controller is the need to ensure the continuous, secure and uninterrupted operation of the business;
  4. Disclosure of personal data of whistleblowers to other entities, e.g. unauthorised persons, provided that the whistleblower has consented to such disclosure pursuant to Article 6(1)(a) of the GDPR.
  • ACCESS TO PERSONAL DATA CONTAINED IN THE REPORT:
  1. The Controller shall transfer the personal data of whistleblowers only to entities authorised to process them on the basis of law or internal regulations of the Controller.
  2. Personal data may be transferred to external entities that support the Controller in receiving internal reports. The transfer of data is based on a personal data processing agreement, which specifies, among other things, the scope, duration, purpose of processing, type of data and the rights and obligations of the controller, in accordance with Article 28 of the GDPR. The Administrator ensures that such an entity will be checked in advance for an adequate level of personal data protection in connection with the performance of this task (receiving reports from whistleblowers).
  3. The provision of personal data by whistleblowers is not necessary in order to fulfil the obligations arising from the provisions of the Whistleblower Protection Act. The provision of personal data when making a report is voluntary. If personal data enabling identification is provided, the personal data of whistleblowers will not be made available to unauthorised persons, unless the whistleblowers consent to the disclosure of their identity.
  4. The personal data of whistleblowers may be transferred to the following categories of personal data recipients:
  5. State authorities, such as the public prosecutor’s office, the police or the courts, may receive personal data in connection with an investigation or court proceedings, where this is necessary and proportionate in accordance with the requirements of the law;
  6. Authorities authorised by the Controller to receive and verify reports of violations of the law and to take follow-up action in connection with reports made by whistleblowers;
  7. Service providers used by the Controller, e.g. for electronic communication with whistleblowers.
  8. Entities to whom whistleblowers give consent to disclose their identity.

A detailed list of providers is kept up to date by the Controller, and whistleblowers may obtain access to the data of entities to whom whistleblower data is entrusted for the purposes specified above by contacting the Controller.

The above providers are mainly based in countries of the European Economic Area (EEA). The Administrator may entrust specific activities to recognised subcontractors operating outside the EEA. Personal data transferred outside the EEA will be protected by appropriate legal safeguards so that the recipients guarantee a high level of personal data protection. These guarantees result in particular from the obligation to apply standard contractual clauses adopted by the Commission (EU) or binding corporate rules duly approved by a supervisory authority within the meaning of the GDPR. The method of data protection complies with the principles set out in Chapter V of the GDPR. Whistleblowers may request the Controller to provide additional information on the safeguards applied in this regard, obtain a copy of these safeguards and information on where they are disclosed. In addition, the Controller shall inform the data subjects of its intention to transfer personal data outside the EEA at the stage of collecting personal data.

  • EXERCISE OF RIGHTS BY DATA SUBJECTS:

The Controller ensures the exercise of the rights of data subjects, which include:

  • the right to request access to their personal data,
  • the right to request the rectification of their personal data,
  • the right to request the erasure of their personal data,
  • request restriction of the processing of personal data,
  • object to the processing of personal data,
  • request the transfer of personal data,
  • where personal data are processed on the basis of consent, the right to withdraw consent, whereby the withdrawal of consent does not affect the lawfulness of the processing based on consent before its withdrawal.

In order to exercise the above rights, please contact the Personal Data Controller in writing at the following address: ul. Kotlarska 34, 31-539 Kraków, Poland, or by email at: katarzyna.nowak@wienkra.pl.

If any of the above requests are submitted to the Controller, the Controller shall, without undue delay, and in any case within one month of receipt of the request, inform the whistleblower of the actions taken in response to the request submitted by the whistleblower.

If necessary, the Personal Data Controller may extend the one-month period by a further two months due to the complex nature of the request or the number of requests.

In any case, the Personal Data Controller shall inform the whistleblower within one month of receiving the request of the extension and the reasons for the delay.

The exercise of certain rights of data subjects is subject to the restrictions referred to in Article 8(5) and (6) of the Whistleblower Protection Act:

  1. The controller shall not inform persons whose data are processed on the basis of Article 14 of the GDPR (i.e. the person concerned by the report and the person indicated in the report) of the source of the personal data, unless the whistleblower does not meet the requirements set out in Article 6 of the Whistleblower Protection Act or has given their express consent.
  2. The personal data controller shall not disclose information about the source of the data in the exercise of the right of access to such data, unless the whistleblower does not meet the requirements set out in Article 6 of the Whistleblower Protection Act or has given their express consent.
  • RETENTION AND DELETION OF PERSONAL DATA:
  1. Personal data processed within the internal reporting system shall be retained for a period of 3 years from the end of the calendar year in which the follow-up actions were completed or after the completion of the proceedings initiated by those actions.
  2. The controller does not collect personal data that is not necessary for the investigation of the report. Personal data that is not necessary for the investigation of the report shall be deleted within 14 days of it being determined that it is not relevant to the case under investigation.
  3. The controller processes personal data for the period necessary to achieve the purposes of processing specified in this document, subject to paragraphs 1 and 2 above, i.e.:
  4. data necessary to establish and pursue any claims and defend against claims – until the expiry of the limitation period specified by generally applicable law (in particular the Civil Code);
  5. for internal administrative purposes and the continuous and uninterrupted operation of the Controller – for the period until the legitimate interests of the Controller of personal data constituting the basis for such processing are fulfilled or until you object to such processing;
  6. in the scope of disclosure of personal data to other entities, e.g. unauthorised persons, until the data subject withdraws their consent.
  • COMPLAINT TO THE SUPERVISORY AUTHORITY:

If the whistleblower believes that the processing of their personal data violates the GDPR, they have the right to lodge a complaint with the supervisory authority, in particular in the Member State of their habitual residence, their place of work or the place of the alleged infringement.

In Poland, the supervisory authority within the meaning of the GDPR is the President of the Personal Data Protection Office (PUODO).

INFORMATION ON THE USE OF COOKIES ON THE WEBSITE

  1. GENERAL

When browsing the Website, ‘cookies’ are used, hereinafter referred to as ‘Cookies’, i.e. small text files that are stored on the user’s end device in connection with the use of the Website. Their use is intended, among other things, to ensure the proper functioning of the Website.

These files allow, in particular, to identify the software used by the Website user and to adapt the Website to their individual needs.

Cookies usually contain the name of the domain from which they originate, their storage time on the device and the assigned value.

  1. SECURITY AND TYPES OF FILES

The Cookies used by the Administrator are safe for the user’s devices. In particular, it is not possible for viruses or other unwanted software or malware to enter the user’s devices through Cookies.

Two types of cookies are used on the Website:

  1. Session cookies: these are stored on the user’s device and remain there until the end of the browser session. The stored information is then permanently deleted from the device’s memory. The mechanism of session cookies does not allow the collection of any personal data or confidential information from the user’s device.
  2. Persistent cookies: are stored on the user’s device and remain there until they are deleted. Ending a browser session or turning off the device does not delete them from the user’s device. The mechanism of persistent cookies does not allow for the collection of any personal data or confidential information from the user’s device.
    • PURPOSES OF USING COOKIES

The Administrator may also use cookies from external entities. Cookies used by the Administrator can be divided into main categories and purposes for which they are used, i.e.: 1. Basic (Necessary) Cookies, 2. Other (Unclassified) Cookies.

Below is a detailed description of the purposes for which they are used and by which entities. Each of these entities also independently determines its own privacy policy – links to the policies of individual providers can also be found below. The Administrator encourages you to familiarise yourself with them.

The following cookies are used:

Cookie name Lifetime Purpose Own/third parties Provider Category

Cmplz_banner-status – – Own Wienkra Necessary

YSC – This cookie is set by a service offered by YouTube – marketing purpose Third party Youtube.com Other

__Secure-ROLLOUT_TOKEN – This cookie is set by a service provided by YouTube – marketing purpose Third party Youtube.com Other

VISITOR_INFO1_LIVE – This cookie is set by a service provided by YouTube – marketing purpose Third party Youtube.com Other

Detailed information about the possibilities and methods of handling cookies is available in the settings of the software (web browser) used by each user of the Website.

PERSONALISED ADVERTISEMENTS

Cookies may be used by advertising networks, in particular the Google network, to display advertisements tailored to the preferences of the user (visitor to the Website), including the presentation of personalised advertisements. For this purpose, information may be stored, including, in particular, information about how the user navigates the network, search terms and the time spent on the website.

Personalised advertisements (sometimes also referred to as interest-based advertisements) are tools that can be used to increase the relevance of advertisements to the user’s preferences and interests.

EDITING, ENABLING AND BLOCKING COOKIES

To view and edit information about preferences collected by the Google advertising network, each user can use the tool available at https://www.google.com/ads/preferences/ and https://policies.google.com/technologies/partner-sites.

Using the settings of the web browser used by the user, or by configuring the service, the user can independently and at any time change the settings for cookies, specifying the conditions for their storage and access by cookies to their device. These settings can be changed to block the automatic handling of cookies in the web browser settings or to inform the user each time they are placed on their device.

At the same time, the user may also disable or withdraw consent to the use of external cookies, as well as remarketing pixels, using Network Advertising at: https://optout.networkadvertising.org/?c=1.