This document constitutes the implementation of the Controller’s information policy towards the users of sunroof.se (Website) in all aspects of personal data processing and protection. Personal data may be processed as a result of browsing the Website or in connection with contacting the Controller. We take care over the protection, collection, processing and use of your personal data in accordance with the applicable laws.
1. Information on the Controller and personal data collection. The origin of the data.
1.1. Pursuant to Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the Regulation), the Controller of your personal data is SunRoof Technology spółka z ograniczoną odpowiedzialnością with its registered office in Łódź, ul. Roosevelta 8, 90-056 Łódź, entered into the Register of Entrepreneurs of the National Court Register, under KRS number 0000789666, NIP (Tax Identification Number) 7252290395, REGON (National Business Registry Number):383632393, fully paid up share capital of PLN 10,000.00, the registration court: the District Court for Łódź-Śródmieście in Łódź, the Commercial Court, 20th Commercial Division of the National Court Register, phone no: +48 787 960 436, e-mail address email@example.com (hereinafter referred to as the Controller).
1.2. The Controller processes the identification and contact data provided by you on the Website as well as the data contained in cookies and the Website navigation data.
Identification and contact data. The Controller processes your personal data for the purpose necessary for the proper functioning of the Website, contact via the Website tools, including a contact form, other communication and contact, including in matters of submitting and accepting offers, sending commercial information, concluding and performing contracts concluded via the Website, i.e. contracts for providing electronic services, concluding and performing other contracts, accounting and financial reporting, pursuing claims, as well as for marketing and statistical purposes. For these purposes, the Controller collects your personal data, such as: first name and surname, e-mail address, telephone number and address, company name, NIP, REGON and other data provided during contact, in particular in the contact form. If a contract is concluded, the provision of the personal data is necessary for the performance of the contract. If the processing is optional, the data will be processed on the basis of consent, which will result from the content of the granted consent.
The Controller processes the personal data provided by you in the contact form for the purpose of performing the electronic service — the contact form. For this purpose, the Controller collects your personal data such as: first name, e-mail address, telephone number. Providing an e-mail address is necessary to respond to a query made via the contact form by electronic means, and in the case of your request for telephone contact; it is also necessary to provide your telephone number. The processing is carried out pursuant to Article 6(1)(b) of the Regulation.
Navigation data. The IT systems and software procedures created for the purpose of managing the Website acquire, in the course of normal operation, certain personal data, the transmission of which is enabled by default during the use of communication protocols. This data category includes the IP addresses or domain names of computers and terminals used by the users, URI / URL addresses (Uniform Resource Identifier/Locator) of the requested resources, time of request, method used to send a request to the server, the size of the obtained return file, a numerical code indicating the status of the server response (success, error, etc.) and other parameters related to the operating system and the IT environment of the User. These data are used only to obtain anonymous statistical information on the use of the website and to check the proper functioning of the services offered.
Google Analytics. The Website also uses Google Analytics in order to analyse traffic on the website, and to collect and analyse data on the behaviour of users visiting the Website. The analysis of traffic on the network is used mainly to optimise the website. According to the specific functionalities of Google Analytics, cookies can be used for marketing purposes, and the data contained therein may be profiled.
The operator of Google Analytics is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351 with its registered office in the USA.
The User may not consent to the collection of data related to the use of the Website by Google Analytics and to the processing of such data by Google, and may prevent such activities. For this purpose, you should download the browser add-on available here: tools.google.com/dlpage/gaoptout and then install it.
1.3.The processing takes place on the basis of:
a) Article 6(1)(b) of the Regulation – in the scope of the personal data necessary for the implementation of the contract, as well as in the scope of the personal data provided by you in order to take action at your request prior to the conclusion of the contract, e.g. for the purpose of contacting prior to the conclusion of the contract, answers to questions, communication, including via the contact form, communicator, etc.
b) Article 6(1)(c) of the Regulation – in the scope of the personal data, the processing of which is necessary to fulfil the legal obligation imposed on the controller, e.g. for the purpose of issuing invoices, as well as for the purposes of accounting and financial reporting.
c) Article 6(1)(f) of the Regulation – in the scope of the personal data, the processing of which is necessary for the purposes resulting from legitimate interests pursued by the Controller, i.e. sending commercial information, as well as for the purposes of direct marketing or pursuing claims.
d) Article 6(1)(a) of the Regulation – in the case of expressing consent if the data processing is optional.
1.4. With regard to your personal data, the Controller does not take automated decisions, decisions resulting from automated processing, including profiling within the meaning of the Regulation. However, data may be profiled according to the functionalities of Google Analytics.
1.5. The Controller stores your personal data only for the period necessary to implement the contract, including pursuing claims and maintaining compliance with the requirements resulting from the applicable provisions of law, including tax provisions as well as for the period necessary for other purposes of the processing indicated herein. In the case of personal data processed on the basis of your consent, the Controller stores them for the period necessary for the purpose of the processing or until you withdraw your consent. After the expiry of these periods, your personal data will be erased. Navigation data will not be processed for more than seven days (excluding the necessity resulting from the activities of competent authorities, in the case of which they may be processed for a longer period in accordance with that necessity).
2. Rights of the data subject
2.1. You have the right to obtain from the Controller, the confirmation of whether it processes your personal data, the right to request access to such data, and the right to obtain information from the Controller regarding the purposes of the processing and the categories of the personal data processed, information on recipients or the categories of recipients to whom your personal data are disclosed, the planned period of storing your personal data, the source of the data in the case that they have not been collected from the data subject, and information whether the Controller takes automated decisions with regard to the data subject, including, among others, profiling. You also have the right to obtain a copy of your data.
2.2. In addition, you have the right to request rectification of your personal data, the right to request the erasure of your personal data, the right to request restriction of the processing, the right to data transfer, and the right to object to the processing. You can exercise these rights:
2.2.1. with regard to the request for the rectification of the data: if your data is incorrect or incomplete;
2.2.2. with regard to the request to erase the data: if your data is no longer necessary for the purposes for which they were collected by the Controller, you withdraw your consent to the data processing, you object to the data processing, your data is processed unlawfully, your data should be erased in order to fulfil an obligation arising from the provision of law, or your data have been collected in connection with the provision of information society services;
2.2.3. with regard to the request to restrict the data processing: if your data are incorrect, you may request restriction of their processing for a period that allows the Controller to verify the correctness of such data; the processing of your data takes place in violation of the law, but you do not wish to erase them; your data is no longer necessary for the Controller, but you need them to establish, pursue or defend claims; or you object to the data processing until it is determined whether the legitimate grounds on the part of the Controller overrides the basis of the objection;
2.2.4. with regard to the request for data transfer: if the processing of your data takes place on the basis of your consent or contract, and if the processing takes place in an automated manner;
2.2.5. with regard to the right to object: if the processing of your personal data takes place on the basis of legitimate interests, and the objection is justified due to your particular situation, and if your personal data are processed for the purposes of direct marketing, including profiling.
2.3. You also have the right to lodge a complaint with the supervisory authority if you consider that the processing of your personal data violates the provisions of the Regulation. In Poland, the supervisory authority is the President of the Office for the Personal Data Protection (ul. Stawki 2, 00-193 Warsaw).
2.4. The implemented security procedures mean that, prior to the exercise of your rights, we may ask you to confirm your identity.
3. Consent on the personal data processing
3.1. If the data processing is optional, e.g. if the Controller processes personal data which are not necessary for the provision of the service or contract, the provision of such data by you is always voluntary, after you consent to the data processing.
3.3. You may withdraw your consent at any time in the same manner in which you granted it.
3.4. In addition, you may always withdraw your consent by sending a statement on withdrawing your consent to the Controller in the manner specified in point 6 hereof.
3.5. The withdrawal of your consent does not affect the lawfulness of the processing based on the consent before its withdrawal.
4. Information on the recipients / categories of the recipients of your personal data
4.1. The Controller may also partially use the services provided by external service providers who process the personal data on behalf of the Controller, e.g. hosting service providers, email service providers, accounting service providers, payment service providers, dispatch service providers, debt collection service providers, and marketing service providers. However, the provision of your data may be used only for the purpose of providing their services. The Controller uses only the services of such entities which provide sufficient guarantees for the protection of the rights of the data subjects. If the given entities are not independent controllers, the personal data processing by these entities takes place on the basis of written contracts concluded with the Controller. These entities comply with the Controller’s instructions and are subject to their audits. The data made available by you on the Website, in particular the image, will be also available to the Website users.
4.2. Your data may be provided for entities related to the Controller for purposes strictly related and necessary for the provision of services, such as IT system management, or for the purpose of processing operations carried out by other branches of the group for the same purposes.
4.3. The personal data provided by the user ordering the dispatch of information materials (brochures and other information materials, etc.) will be used only for the purpose of organising the delivery and disclosed to third parties (post offices, marking companies, couriers, etc.) only if this is necessary to achieve it.
4.4. Furthermore, in connection with the use of specific services by the Controller, including e.g. gmail, Google Analytics, Google Drive and G-suite, your data may be transferred outside of the EEA, but only if there is a guarantee of the adequate level of protection, e.g. resulting from the participation of a given entity in the Privacy Shield program, established by Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield.
4.5. The Controller also has its fan page on Facebook and Instagram. Therefore, the data in the form of a first name and surname or other data, as appropriate to the functionalities of these websites, may be collected and then made available to the Facebook or Instagram operator, and in this case, the purpose of the data processing is to use the controller’s website and market services by means of these websites.
4.6. The Website contains links to other websites. Their presence may mean the collection of your data by websites and for websites managed by third parties. The management of information collected by third parties is also subject to appropriate adjustment in accordance with the rules applied by a given separate controller.
4.7. Apart from the aforementioned circumstances, the data will not be made available to anyone, except for the situations arising from contractual requirements or with the consent of the person concerned. In these cases, the personal data may be made available to third parties provided that:
– explicit consent to the provision of the data for third parties has been expressed;
– there is a need to make the data available to third parties in order to perform the ordered service or to perform the contract;
– at the request of competent authorities.
In any other cases, data will not be disseminated.
5. Personal data security
5.1. The Controller processes your personal data in accordance with the provisions of the Regulation, and it applies appropriate technical and organisational measures to ensure the security and adequate confidentiality and integrity of your personal data, including protection against unauthorised access, unauthorised modification, disclosure or destruction of such data.
6. Contact data
6.1. Any demands, requests, notifications and queries relating to the personal data processing may be sent by e-mail to the following e-mail address: firstname.lastname@example.org or in writing to the following address: SunRoof Technology spółka z ograniczoną odpowiedzialnością with its registered office in Łódź, ul. Roosevelta 8, 90-056 Łódź.
As at 1 February 2020