PERSONAL DATA PROCESSING POLICY
1.1. Controller – Nextbike Polska S.A. with its registered office in Warsaw at ul. Przasnyska 6b (01-756 Warsaw).
1.2. Personal data – information regarding a natural person, identified or possible to be identified by means of several specific factors defining their physical, physiological, genetic, psychological, economic, cultural or social identity, including image, voice recording, contact data, location data, information contained in correspondence, information gathered by means of recording devices or other similar technology.
1.3. Nextbike Group – companies belonging to Nextbike group in the meaning of art. 4 clause 14 of the Act of 16 February 2007 on protection of competition and consumers.
1.4. Policy – the hereby Policy of personal data processing.
1.5. GDPR – Regulation of the European Parliament and Council (EU) 2016/679 from 27 April 2016 on protection of natural persons in relation to the processing of personal data and on the free flow of such data and repealing Directive 95/46/EC.
1.6. Data subject – natural person whose personal data are processed by the Controller.
1.7. Act – Act of 10 May 2018 on personal data protection (Journal of Laws from 2018 item 1000).
1.8. Trusted Partner – entity with which the Controller cooperates, the marketing content of which are directed by the Controller towards the data subject.
2. PROCESSING OF DATA BY THE CONTROLLER
2.1. Pursuant to the carried out economic activity, the Controller gathers and processes Personal Data in accordance with the relevant provisions of law, including in particular GDPR provisions and the principles of data processing envisaged therein.
2.2. The Controller ensures transparency of Personal Data processing, in particular, always informs of the fact of data processing at the time of their gathering, including regarding the purpose and legal basis of such processing (i.e. upon conclusion of agreements on sale of goods or services). The Controller ensures that data are gathered solely in the scope necessary for realization of the indicated purpose and processed exclusively for the period in which it is necessary.
2.3. While processing Personal Data, the Controller ensures their safety and confidentiality as well as access to information on the processing to persons who are their subjects. Should, in spite of the applied safety measures, a breach of Personal Data protection occur (i.e. a leak of data or their loss), the Controller shall inform Data Subjects of such an event in a manner compliant with the provisions of law.
3. CONTACT WITH CONTROLLER
3.1. The Controller may be contacted via e-mail [email protected] , contact form at the address www.nextbike.pl, via telephone under 22 208 99 90 or in writing at the address of company seat of Nextbike Polska S.A.
3.2. The Controller has appointed Data Protection Inspector who may be contacted by e-mail [email protected] regarding any matter concerning the processing of personal data by the Controller.
4. SAFETY OF PERSONAL DATA
4.1. In order to ensure integrity and confidentiality of data the Controller has implemented procedures enabling access to Personal Data solely to persons authorized and exclusively within the scope necessary on account of the tasks performed by them. The Controller applies organisational and technical solutions in order to ensure that all operations on personal data are registered and carried out solely by authorized persons.
4.2. The Controller furthermore undertakes all necessary actions to ensure that his subcontractors and other entities cooperating with him provided guarantee of applying adequate safety measures in each case when they process Personal Data at the order of the Controller.
4.3. The Controller carries out an ongoing risk analysis for risk related to the processing of Personal Data and monitors the adequacy of the applied data protections against the identified threats. In case of necessity, the Controller implements additional measures targeted at increasing data safety.
5. PURPOSES AND LEGAL BASIS OF THE PROCESSING PROVISION OF SERVICES CONSISTING OF LAUNCHING, MANAGING AND COMPREHENSIVE EXPLOITATION OF SYSTEMS OF CITY BIKE RENTALS
5.2. The Controller, through providing services towards other companies from Nextbike group (in particular ones consisting of the delivery and servicing of the systems of rental of urban bikes) ensures that he has implemented organizational and technological solutions specified in art. 28 of GDPR, targeted at ensuring correct realization of user rights, as specified in Module 9 of the Policy.
5.3. Each time the cooperation of the Controller and other companies from Nextbike group which avails of the service of subcontracting by the Controller is realized pursuant to the binding instrument legalizing entrusting of personal data processing for the users of the system of urban bike rental.
USE OF NEXTBIKE WEBSITES
5.4 Personal data (including IP address or other identifiers and information gathered by means of cookies files or other, similar technologies) of all persons using the websites www.nextbike.pl, www.relacje.nextbike.pl or other pages involving the activity of companies from Nextbike group which are not parties of the respective systems of urban bike rentals, shall be processed by the Controller:
5.4.1 for the purpose of providing services via electronic means in the scope of providing the Users with the content gathered on a given website – in such case the legal basis for the processing shall be the indispensability of the processing for the execution of agreement (article 6, sec. 1, letter b of GDPR);
5.4.2 for analytical and statistical purposes – in such case the legal basis for the processing shall be legally justified interest of the Controller (article 6, sec. 1, letter f of GDPR), consisting of carrying out analyses of Users’ activities, as well as their preferences in order to improve the applied functionalities and the provided services;
5.4.3 for the purpose of potential establishing and seeking claims or defending against claims – legal basis for the processing shall be legally justified interest of the Controller (article 6, sec. 1, letter f of GDPR), constituting the protection of his rights.
5.5 User activity on the websites specified in Clause 5.4, including his Personal Data, is registered by system logs (special computer software targeted at storing of chronological record containing information on events and action which concern the IT system for the provision of services by the Controller). Information gathered in the logs are processed above all for the purposes related to the provision of services. The Controller shall process them also for technical and administration purposes, for the purposes of ensuring safety of the IT system and its management, further to analytical and statistical purposes – in this scope the legal basis for the processing shall be legally justified interest of the Controller (article 6, sec. 1, letter f of GDPR).
CONTACT FORMS AVAILABLE ON THE WEBSITES
5.6 The Controller ensures the possibility of contacting him by means of online contact forms available on the Controller’s websites. The use of such form requires indicating personal data necessary for contacting with the user and granting a reply to an inquiry. The User may indicate also other data in order to facilitate contact or servicing of the inquiry. Indication of data marked as obligatory is required in order for the given inquiry to be accepted and failure to indicate same results in lack of possibility of handling them. Indication of the remaining data is voluntary.
5.7 Personal Data are processed:
5.7.1 For identification of the sender and servicing the demand or granting replies to questions sent by means of the contact form – legal basis for the processing is the legally justified interest of the Controller (art. 6 sec. 1 letter f of GDPR) consisting of enabling the service of demands and granting replies to the questions asked in particular by persons interested in receiving the services provided by the Controller;
5.7.2 For the purpose of monitoring and improvement of the quality of services, including servicing clients – legal basis for the processing is the justified interest of the Controller (art. 6, sec. 1 letter f of GDPR), consisting of enabling an increase of quality of the provided services through the Controller.
5.8 The Controller processes personal data of users visiting the profiles of the Controller maintained within the social media (Facebook) and Linkedin portal. These data are processed solely in relation to the conduct of profile, including for the purpose of informing the Users regarding the Controller’s actions and promoting various types of events, services and products. Legal basis for the processing of personal data by the Controller for this purpose is his justified interest (art. 6 sec. 1 letter f of GDPR) consisting of promoting his own brand.
EMAIL AND POSTAL CORRESPONDANCE
5.9 In case of directing towards the Controller, by means of email post or traditional post, correspondence unrelated to the services provided towards the sender, other agreement concluded with him or another manner unrelated to any relation with the Controller, personal data contained in the correspondence are processed solely for the purpose of communication and termination of a matter to which such correspondence refers.
5.10 Legal basis for the processing is the legally justified interest of the Controller (art. 6 sec. 1 letter f of GDPR), consisting of the conduct of correspondence directed at him pursuant to his economic activity.
5.11 The Controller confirms solely the Personal Data significant for the given matter to which such correspondence refers. Entire correspondence is stored in a manner ensuring safety of personal data contained therein (or other information) and authorizes solely the authorized persons.
5.12 In case of contacting the Administrator via telephone regarding matters related to the concluded agreement or the provided services, the Controller may demand indication of personal data only when it is deemed as necessary in order to handle a given matter to which the contact refers. Legal basis is such case is the legally justified interest of the Controller (art. 6 sec. 1 letter f of GDPR) consisting of the necessity to handle the submitted matter related to the economic activity conducted by him.
5.13 Telephone conversations may also be recorded – in such case at the beginning of each conversation, appropriate information is passed on the natural person. Conversations are registered for the purpose of monitoring the quality of the provided service and verifying the work of consultants as well as for statistical purposes. Recordings are available solely for the employees of the Controller and persons servicing the Controller’s hotline.
5.14 Personal data in the form of recording conversations are processed:
5.14.1 For the purposes related to servicing clients and interested parties by means of a hotline – legal basis for the processing is the necessity to process for the provisions of service (art. 6 sec. 1 letter b of GDPR);
5.14.2 For the purposes of monitoring the quality of service and verifying the work of consultants servicing the hotline as well as for analytical and statistical purposes – legal basis for the processing is the justified interest of the Controller (art. 6 sec. 1 letter f of GDPR), consisting of looking after the highest quality of service towards the clients or interested parties as well as the highest quality of work of the consultants and carrying out statistical analyses concerning telephone communication.
VISUAL MONITORING AND ENTRANCE CONTROL
5.15 Pursuant to the necessity of ensuring safety to persons and property the Controller uses visual monitoring and controls access to premises and to the area managed by him. Data gathered in this way are not used for any other purposes specified below.
5.16 Personal data in the form of monitoring recordings and data gathered within the register of entries and exits are processed in order to ensure safety for persons and property and maintain order within the facility and potentially in order to protect against claims raised against the Controller or establish and pursue claims by the Controller. Legal basis for the processing of personal data is legally justified interest of the Controller (art. 6 sec. 1 letter f of GRDP) consisting of ensuring safety for persons and property located within the area managed by the Controller and protection of his rights.
5.17 The area covered by the Controller with monitoring is marked by means of adequate graphic signs.
5.18 In the framework of recruitment processes the Controller expects passing of Personal Data (i.e. contained in CVs) solely in the scope specified in the provisions of the labour code. Pursuant to this one must not pass on information in a wider scope. In case when the passed applications contain additional data going beyond the scope indicated by the provisions of the labour code, their processing shall be based on the consent of a candidate (art. 6 sec. 1 letter a of GRDP) expressed by an explicit confirming action which is the submission by a candidate of application documents, In case when the submitted applications contain information irrelevant to the purpose of recruitment, they shall not be used nor considered in the recruitment process.
5.19 Personal Data are processed:
5.19.1 in case when the preferred form of employment is employment contract – in order to carry out the obligations stemming from the provisions of the law related to the employment process, including above all the Labour Code – legal basis for the processing is the legal obligation resting on the Controller (art. 6 sec. 1 letter c of GRDP) pursuant to the provisions of the labour law);
5.19.2 in case when the preferred form of employment is civil-law contract – in order to carry out the recruitment process – legal basis for the processing of data contained within the application documents is undertaking actions prior to concluding the agreement at the request of the person who is the data subject (art. 6 sec. 1 letter b of GRDP)
5.19.3 in order to carry out the process of recruitment in the scope of data not required by the provisions of law nor by the Controller, as well as for the purposes of future recruitment processes – legal basis for the processing is consent (art. 6 sec. 1 letter a of GRDP)
5.19.4 in order to verify qualifications and skills of a candidate and establish conditions of cooperation – legal basis for the processing of data is legally justified interest of the Controller (art. 6 sec. 1 letter f of GRDP) Legally justified interest of the Controller is verification of candidates for work and defining the conditions of potential cooperation;
5.19.5 In order to establish or pursue by the Controller of potential claims or protection against claims raised against the Controller – legal basis for the processing of data is legally justified interest of the Controller (art. 6 sec. 1 letter f of GRDP).
5.20 In the scope in which Personal data are processed pursuant to the expressed consent, this consent may be withdrawn at any time, without an impact on compliance with the law of the processing carried out prior to its withdrawal. In case of expressing consent for the purposes of future recruitment processes, personal data are removed after the period of two years – provided that prior consent has not been withdrawn.
5.21 Indication of data in the scope specified in art. 22 (1) of the Labour Code is required – in case of preference by the candidate of employment on the basis of employment contract – by the provisions of law, including above all the Labour Code, whilst in case of preference of employment on the basis of civil law contract – by the Controller. Lack of possibility of considering a given candidature in the recruitment process is the consequence of non-submission of such data. Indication of other data is voluntary.
5.22 The Controller provides the service of newsletter according to the principles specified in the Terms of Service to persons who have indicated their email address for this purpose. Indication of data is required in order to provide services of newsletter and their non-indication results in the lack of possibility of their dispatch.
5.23 Personal Data are processed:
5.23.1 in order to provide service of newsletter shipping – legal basis for the processing is the necessity of processing for the execution of agreement (art. 6 sec. 1 letter b of GRDP).
5.23.2 in order to send you marketing messages concerning the Controller, companies from Nextbike group and trusted partners of the Controller whose list which is updated on an ongoing basis may be found in section 7 of the hereby Policy – legal basis of the processing of data is the legally justified interest of the Controller, in accordance with art. 6 sec. 1 letter f of GDPR. Legally justified interest of the Controller is direct marketing of own products and services pursuant to the expressed consent for shipping of newsletter;
5.23.3 For analytical and statistical purposes – legal basis for the processing is the legally justified interest of the Controller (art. 6 sec. 1 letter f of GDPR), consisting of carrying out analyses of activity of Users in the Service in order to improve adequate functionalities;
5.23.4 For the purpose of potential establishing and pursuing claims or protection against claims – legal basis for the processing is the legally justified interest of the Controller (art. 6 sec. 1 letter f of GRDP) consisting of protection of his rights.
PROCESSING OF PERSONL DATA OF MEMEBRS OF CLIENTS’ PERSONNEL OR CLIENTS COOPERATING WITH THE CONTROLLER
5.24 Pursuant to the conclusion of trade contracts under the conducted economic activity, the Controller obtains from clients/customers data of persons engaged in the process of execution of such contracts (i.e. Persons authorized to contact, submitting orders, executing orders etc.). The scope of transferred data is in each case limited to the degree necessary for execution of a given contract and it normally does not encompass other information than first name and surname as well as business contact data.
5.25 Such personal data are processed for the purpose of realization of legally justified interest of the Controller and his client (art. 6 sec. 1 letter f of GDPR) consisting of enabling the correct and effective execution of the contract. Such data may be disclosed to third parties engaged in the execution of the contract as well as to entities obtaining access to data on the basis of the provisions in the scope of transparency of public information and proceedings carried out on the basis of public procurement law, in the scope envisaged by these provisions.
5.26 Data are processed for the period necessary for realization of the above interests and execution of the obligations stemming from these provisions.
GATHERING DATA IN OTHER CASES
5.27 In relation to the carried out activity the Controller gathers Personal Data also in other cases – i.e. through building and using fixed mutual business contacts (networking) during business meetings, during industry events or through exchange of business cards – for the purposes related to initiating and maintaining business contacts. Legal basis for the processing is in this case the legally justified interest of the Controller (art. 6 sec. 1 letter f of GRDP) consisting of creating the network of contacts in relation to the carried out business activity.
5.28 Personal data gathered during such events are processed solely for the purpose for which they were gathered and the Controller ensures their proper protection.
6. DATA RECIPIENTS
6.1 Pursuant to the conduct of activity requiring the processing of Personal Data are revealed to external recipients, including in particular the recipients responsible for the service of IT systems and software (i.e. CCTV equipment in the scope of visual monitoring), entities providing legal or accounting services, couriers, marketing agencies or recruitment agencies. Data are also disclosed to the related entities to the Controller, including the companies from his group of trusted partners.
6.2 The Controller reserves the right to disclose the selected information concerning Data subject, appropriate authorities or third persons which shall submit a demand for granting such information, basing on the relevant legal basis and in accordance with the provisions of the binding law.
7. NEXTBIKE GROUP AND ENTITIES COOPERATING WITH THE CONTROLLER
7.1 The Controller, in line with the consent expressed by the Client, for obtaining marketing information obtains information on the products and services offered by the entities from Nextbike Group and entities cooperating with him.
7.2 In case of withdrawal of consent for the purpose of obtaining marketing information by the Controller, the Client shall withdraw consent for receiving marketing information from all entities within the Nextbike Group and entities cooperating with him.
7.3 Nextbike group comprises the following:
7.3.1 NB Tricity Sp. z o.o., ul. Przasnyska 6B, 01-756 Warszawa;
7.3.2 NB Serwis Sp. z o.o., ul. Przasnyska 6B, 01 – 756 Warszawa;
7.3.3 NB Serwis II SP. z o.o., ul. Przasnyska 6B, 01 – 756 Warszawa;
7.3.4 NB Poznań Sp. z o.o., ul. Przasnyska 6B, 01 – 756 Warszawa.
7.4 Entities cooperating with the Controller (the so called trusted partners):
7.4.1 Bank Handlowy w Warszawie SA, ul. Senatorska 16, 00-923 Warszawa;
7.4.2 Benefit Systems SA, Plac Europejski 2, 00-844 Warszawa;
7.4.3 PKN Orlen SA, ul. Chemików 7, 09-411 Płock;
7.4.4 Visa Europe Maganement Service Limited, („Visa”), Al. Jerozolimskie 65/79, 00-697 Warszawa.
7.5 The Controller updates on an ongoing basis the list of entities specified in clause 7.3 and 7.4.
8. PASSING DATA OUTSIDE OF EEA
8.1 The level of protection of Personal Data outside the European Economic Area (EEA) differs from one ensured by the European Law. For this reason, the Controller passes Personal Data outside EEA only when it is necessary and subject to provision of adequate degree of protection, above all through:
8.1.1 cooperation with entities processing Personal data in the countries with reference to which adequate decision of the European Commission was issued concerning noting ensuring adequate degree of protection of Personal Data;
8.1.2 application of standard contractual clauses issued by the European Commission:
8.1.3 Application of the binding corrective rules approved by the right supervisory organ;
8.1.4 In case of passing over data to the USA – cooperation with entities participating in the programme Privacy Shield, Approved by the decision of the European Commission.
9. PERIOD OF PROCESSING OF PERSONAL DATA
9.1 The period of processing of data by the Controller depending on the type of the provided service and purpose of processing. The period of processing of data may also stem from the provisions when they constitute the basis for the processing. In case of processing of data pursuant to the justified interest of the Controller (i.e. due to safety reasons), data are processed for the period enabling realization of such interest or for submission of effective objection towards data processing. Should the processing occur pursuant to the consent, data are processed until its withdrawal. When the basis for processing is the necessity to conclude and execute a contract, data are processed until its termination.
9.2 The period of data processing may be prolonged in case when the processing is necessary for establishing or pursuing claims or protection against claims and after this period – solely in case and scope required by the provisions of law.
10. AUTHORIZATIONS RELATED TO THE PROCESSING OF PERSONAL DATA
RIGHTS OF DATA SUBJECTS
10.1 Data subject is entitled to the following rights:
10.1.1 Right to information on the processing of personal data – on this basis the Controller passes onto a natural person submitting a demand for information on the processing of data, including above all for the purposes and legal bases of the processing, scope of stored data, subjects to whom they are disclosed and the planned term of data removal;
10.1.2 Right to obtain copies of data – on this basis the Controller passes the copy of processed data concerning a natural person submitting a demand;
10.1.3 Right of adjustment – the Controller is obliged to remove potential irregularities or errors in the processed Personal Data and supplement them if they are incomplete;
10.1.4 Right to remove data – on this basis one may demand removal of data the processing of which is not necessary for realization of any of the purposes for which they were gathered;
10.1.5 Right to limit the processing – in case of submission of such a demand the Controller shall cease to carry out operations on Personal Data – with the exception of operations to which the person who is the data subject consented – and their storage in accordance with the accepted retention principles or until the causes of limiting the processing of data are removed (i.e. A decision of supervisory organ allowing for further processing of data is issued);
10.1.6 Right for transferring data – on this basis – in the scope in which data are processed in an automated manner pursuant to the concluded agreement or expressed consent – the Controller releases data delivered by the person who is their subject, in the format allowing for the reading of data on a computer. Demanding the transfer of such data to another subject is also possible, however, subject to the existence in this scope of technical possibilities both on the side of the Controller and also indicated entity;
10.1.7 Right to object against the processing of data for marketing purposes – Data subject may at any time object to the processing of Personal Data for marketing purposes without the necessity of justifying such an objection;
10.1.8 Right to object against other purposes of data processing – Subject of data may at any time object to – due to reasons related to his specific situation – processing of Personal Data which occurs pursuant to the legally justified interest of the Controller (i.e. For analytical or statistical purposes or due to reasons related to the protection of property); objection in this regard ought to contain justification;
10.1.9 Right of consent withdrawal – should data be processed on the basis of granted consent, Data Subject is entitled to withdraw consent at any time which however does not impact compliance with the law of the processing carried out prior to the withdrawal;
10.1.10 Right of complaint – in case of considering that the processing of Personal Data breaches the provisions of GRDP or other provisions concerning the protection of Personal Data, Data Subject may submit a complaint to the authority supervising the processing of Personal Data, appropriate on account of the place of usual residence of Data Subject, which is his place of work or place of the alleged breach. In Poland such supervisory authority is the Chairman of the Office of Personal Data Protection.
11. SUBMISSION OF DEMANDS RELATED TO EXECUTION OF RIGHTS
11.1 A demand concerning the execution of rights of Data Subjects may be submitted
11.1.1 in a written form at the address: Nextbike Polska S.A. ul. Przasnyska 6b, 01-756 Warszawa;
11.1.2 via electronic means to the email address [email protected]
11.2 The submitted application ought to, to the extent possible, precisely indicate what a given demand concerns, i.e. in particular:
11.2.1 what entitlements does the person submitting the application wish to use (i.e. Right to obtain copies of data, right of data removal etc.);
11.2.2 what processing process does the demand concern (i.e. The use of a specific service, activity in a specific internet service, obtaining a newsletter containing commercial information to a specific email address etc.);
11.2.3 which purposes of processing does the given demand concern (i.e. Marketing purposes, analytical purposes etc.).
11.3 If the Controller is unable to identify natural persons pursuant to the submitted demand, he will request additional information from the applicant. Indication of such data is not obligatory, however failure to indicate them shall result in refusal to realize the given demand.
11.4 A demand may be submitted in person or by means of a proxy (i.e. family member). Due to safety reasons the Controller encourages to avail of proxy in the notarized form or an authorized legal representative or advocate which will significantly accelerate verification of authenticity of a demand.
11.5 Reply to the submission ought to be granted within one month from obtaining it. In case of necessity of prolonging this term, the Controller shall inform the Applicant of the causes of such prolongation.
11.6 In case when a demand has been directed at the Company electronically, a reply is granted in the same form, unless the Applicant demands granting a reply in another form. In other cases the replies are granted in writing. In case when the term of realization of a demand prevents granting of a reply in writing, the scope of data of the Applicant processed by the Controller enable contact via electronic means, the replies must be grated electronically.
12. PRINCIPLES OF CHARGING FEES
12.1 The proceeding in case of submitted applications is free of charge. The fees may be charged solely in case of:
12.1.1 submission of demand of issuance of the second and each subsequent copy of data (the first copy of data is free of charge); in such case the Controller may demand making payment of a fee amounting to 30 PLN. The above fee includes administrative costs related to the processing of a given demand;
12.1.2 submissions by the same persons of excessive demands (i.e. exceptionally frequently) or blatantly unjustified ones; in such case the Controller may demand payment of a fee in the amount of 100 PLN. The above fee includes the costs of conducting correspondence and costs related to undertaking the demanded actions;
12.1.3 in case of questioning a decision regarding payment of a fee, a person who is the subject of data may submit a complaint to the supervisory organ of Personal Data processing, appropriate due to the location of normal residence of that person, his or her place of work or place of performance of the alleged breach. In Poland such supervisory body is the Chairman of Personal Data Protection Office.
13. CHANGES TO THE POLICY OF PERSONAL DATA PROCESSING
13.1 The Policy shall be verified on an ongoing basis and in case of the necessity to update it.
13.2 Current version of the Policy was accepted on 18 January 2019.