1. General provisions
This Website privacy policy is for information purposes only, which means that it does not create obligations for persons using the Website. The Privacy Policy primarily contains rules regarding the processing of personal data collected by the Administrator on the Website, including the grounds, purposes and duration of the processing of personal data and the rights of data subjects, as well as information on the use of cookies and similar technologies and analytical tools on the Website.
The Administrator of the personal data collected via the Website is OTIF PROFIL SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ with its registered office in Karsewo (registered office and delivery address: Karsewo 24, 62-220 Niechanowo); entered in the Register of Entrepreneurs of the National Court Register under KRS number 0000663898; the register court where the company’s records are kept: District Court Poznań – Nowe Miasto and Wilda in Poznań, IX Economic Division of the National Court Register; share capital: PLN 20,000; NIP: 7842503544; REGON: 366617547, e-mail address: biuro@otif-profil.pl, contact telephone numbers: 782 343 235, 663 493 058 – hereinafter referred to as the „Administrator” and which is also the Owner of the Website.
Personal data on the Website is processed by the Administrator in accordance with the applicable legal provisions, in particular in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) – hereinafter referred to as „GDPR” or „GDPR Regulation”.
The use of the Website is voluntary. Likewise, the related provision of personal data by the user using the Website is voluntary, with the proviso that failure by the user to provide certain data required for the use of a certain functionality of the Website – may result in the impossibility to use that functionality (e.g. contact form). The provision of personal data in such a case is a contractual requirement, and if the data subject wishes to use a specific functionality made available on the Site by the Administrator, he/she is obliged to provide the required data. Each time the scope of data required to use a Website functionality is indicated by the Administrator on the Website (e.g. before filling in the contact form).
The Administrator shall take special care to protect the interests of the persons whose personal data it processes, and in particular shall be responsible for and ensure that the data it collects are:
(1) processed lawfully;
(2) collected for specified, legitimate purposes and not subjected to further processing incompatible with those purposes;
(3) Substantially correct and adequate in relation to the purposes for which they are processed;
(4) kept in a form which permits the identification of data subjects for no longer than is necessary to achieve the purpose of the processing; and
(5) processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, by means of appropriate technical or organisational measures.
Taking into account the nature, scope, context and purposes of the processing and the risk of infringement of the rights or freedoms of natural persons of varying probability and seriousness, the Controller shall implement appropriate technical and organisational measures to ensure that the processing is carried out in accordance with the RODO Regulation and to be able to demonstrate this. These measures shall be reviewed and updated as necessary. The Administrator shall apply technical measures to prevent unauthorised persons from obtaining and modifying personal data sent electronically.
All words, phrases and acronyms appearing in this privacy policy and beginning with a capital letter shall be understood in accordance with their meaning as set out in this document.
2. Grounds for data processing
The controller is entitled to process personal data where, and to the extent that, one or more of the following conditions are met:
(1) the data subject has given his or her consent to the processing of his or her personal data for one or more specified purposes;
(2) the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(3) processing is necessary for compliance with a legal obligation incumbent on the Controller; or
(4) processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
The processing of personal data by the Controller requires in each case the existence of at least one of the grounds indicated above. The specific grounds for the processing of personal data of the Website users by the Administrator are indicated in the next section of the privacy policy – with reference to the respective purpose of the processing of personal data by the Administrator.
3. Purpose, basis and duration of data processing on the Website
In each case, the purpose, basis and period and recipients of the personal data processed by the Administrator result from the activities undertaken by the user concerned on the Website.
The Controller may process personal data on the Website for the following purposes, on the following grounds and for the following duration in accordance with the table below:
Purpose of data processing
Article 6 (1.b) of the GDPR Regulation (performance of a contract) – processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract, such as, for example, to respond to an enquiry sent by a user via a contact form
Article 6 (1.f) of the GDPR Regulation (legitimate interest of the Controller) – processing is necessary for the purposes of the Controller’s legitimate interests – consisting of looking after the interests and good image of the Controller and pursuing the provision of services
The data shall be stored for the period of existence of the legitimate interest pursued by the Administrator, but not longer than the period of limitation of claims against the data subject in respect of the Administrator’s business activities. The period of limitation shall be determined by the provisions of law, in particular the Civil Code (the basic limitation period for claims related to business activities is three years).
The Controller may not process data for direct marketing purposes in the event of an effective objection to this effect by the data subject.
Marketing
Article 6 (1.a) of the GDPR Regulation (consent) – the data subject has consented to the processing of his/her personal data for marketing purposes by the Controller
Data is stored until the data subject has withdrawn his or her consent to further processing of his or her data for these purposes
Article 6 (1.f) of the GDPR Regulation – processing is necessary for the purposes deriving from the Administrator’s legitimate interests – consisting of determining, asserting or defending claims which may be raised by the Administrator or which may be raised against the Administrator
The data shall be stored for the period of existence of the legitimate interest pursued by the Administrator, but not longer than the period of limitation of claims against the data subject in respect of the Administrator’s business activities. The period of limitation is determined by law, in particular the Civil Code (the basic limitation period for claims that may be raised against the Administrator is six years).
Article 6 (1.f) of the GDPR Regulation (legitimate interest of the Administrator) – processing is necessary for the purposes of the Administrator’s legitimate interests – consisting of the operation and maintenance of the Website
The data shall be stored for the period of existence of the legitimate interest pursued by the Administrator, but no longer than for the period of limitation of the Administrator’s claims against the data subject by virtue of the Administrator’s business activities. The period of limitation is determined by the provisions of law, in particular the Civil Code (the basic limitation period for claims related to the conduct of business activities is three years).
Article 6 (1.f) of the GDPR Regulation (legitimate interest of the Administrator) – processing is necessary for the purposes deriving from the Administrator’s legitimate interests – consisting of conducting statistics and analysis of traffic on the Website in order to improve the functioning of the Website
The data shall be stored for the period of existence of the legitimate interest pursued by the Administrator, but not longer than the period of limitation of the Administrator’s claims against the data subject by virtue of the Administrator’s business activities. The period of limitation shall be determined by law, in particular the Civil Code (the basic limitation period for claims related to the conduct of business activities is three years).
4. Recipients of data on the Website
For the proper functioning of the Website, it is necessary for the Administrator to use the services of third parties (such as a software provider). The Controller shall only use the services of such processors who provide sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of the RODO Regulation and protects the rights of the data subjects.
Personal data may be transferred by the Controller to a third country, whereby the Controller shall ensure that, in such case, this will be done in relation to a country ensuring an adequate level of protection – in accordance with the GDPR Regulation, and in the case of other countries, that the transfer will take place on the basis of standard data protection clauses. The controller shall ensure that the data subject is able to obtain a copy of his/her data. The Controller shall transfer the collected personal data only if and to the extent necessary for the fulfilment of the specific purpose of the processing in accordance with this Privacy Policy.
The transfer of data by the Administrator does not take place in every case and not to all recipients or categories of recipients indicated in the privacy policy – the Administrator transfers data only when it is necessary for the fulfilment of the given purpose of personal data processing and only to the extent necessary for its fulfilment.
Personal data of Website users may be transferred to the following recipients or categories of recipients:
- service providers supplying the Administrator with technical, IT and organisational solutions enabling the Administrator to carry out its business activities, including its Website and electronic services (in particular, providers of computer software for running the Website, providers of email and hosting, and providers of business management and technical support software to the Administrator) – the Administrator shall make the collected personal data of the user available to the selected provider acting on its instructions only when and to the extent necessary for the fulfilment of the given purpose of data processing in accordance with this Privacy Policy.
legal and advisory service providers providing legal or advisory support to the Administrator (in particular, a law firm) – The Administrator shall make your personal data available to the selected service provider acting on its instructions only if and to the extent necessary to achieve the specific purpose of the data processing in compliance with this Privacy Policy.
5. Profiling
The GDPR Regulation requires the Controller to provide information on automated decision-making, including profiling as referred to in Article 22 (1) and (4) of the GDPR Regulation, and, at least in these cases, relevant information on the modalities of such decision-making, as well as on the significance and the envisaged consequences of such processing for the data subject. With this in mind, the Controller provides information on possible profiling in this section of the privacy policy.
The Administrator may use profiling on the Website for direct marketing purposes, but the decisions taken by the Administrator on the basis of this profiling do not concern the conclusion or refusal of a contract or the possibility of using electronic services on the Website. The effect of the use of profiling on the Website may be, for example, to grant a person a discount, to send him/her a discount code, to remind him/her of unfinished activities on the Website, to send him/her a proposal for a service that may match the person’s interests or preferences, or to offer better conditions compared to the Administrator’s standard offer. Despite the profiling, it is the individual who freely decides whether he or she wishes to take advantage of the discount or offer of the Administrator received in this way.
Profiling on the Website involves the automatic analysis or prediction of a person’s behaviour on the Website, e.g. by analysing the person’s previous activity history on the Website. The condition for such profiling is that the Administrator is in possession of the personal data of the person concerned in order to be able to subsequently send him or her, for example, a discount code or an offer.
The data subject has the right not to be subject to a decision which is based solely on automated processing, including profiling, and which produces legal effects in relation to the person concerned or similarly significantly affects the person concerned.
6. Rights of the data subject
In order to exercise the rights referred to in this section of the privacy policy, the Controller may be contacted by sending an appropriate message in writing or by e-mail to the Controller’s address indicated at the beginning of the privacy policy.
7. Cookies on the Website and Analytics
Cookies are small text files which are sent by a server and stored on the website visitor’s side (e.g. on the hard disk of a computer, laptop or smartphone memory card – depending on the device used by the visitor to our Website). Detailed information on cookies and the history of their creation can be found here, among other places.
Cookies that may be sent by the Website may be divided into different types, according to the following criteria:
- own (created by the Administrator’s Website) and
- owned by third parties (other than Administrator
- session files (stored until you leave the Website or switch off your web browser) and
- permanent (stored for a specific period of time as defined by the parameters of each file or until manually deleted)
- essential (to enable the proper functioning of the Website),
- functional/preferential (to enable the Website to be tailored to the visitor’s preferences),
- analytical and performance (gathering information about the use of the Website),
The Administrator may process the data contained in Cookies when visitors use the Website for the following specific purposes:
storing data from completed forms and surveys (essential and/or functional/ preferential cookies)
- to adapt the content of the Website to the user’s individual preferences (e.g. as regards colours, font size, page layout) and to optimise the use of the Website (functional / preferential cookies)
- keep anonymous statistics on how the Website is used (analytical and performance cookies)
- to display and render advertisements, to limit the number of times advertisements are displayed and to ignore advertisements which the user does not wish to see, to measure the effectiveness of advertisements, and to personalise advertisements, i.e. to study the behavioural characteristics of visitors to the Website by analysing their actions in an anonymous way (e.g. repeated visits to certain pages, keywords, etc.) in order to create their profile and provide them with advertisements tailored to their anticipated interests, also when they visit other websites on the advertising network of Google Page 6 of 8 Ireland Ltd. and Meta Platforms Ireland Ltd. (marketing, advertising and social media cookies)
It is possible to check in the most popular web browsers which Cookies (including the duration of the Cookies and their provider) are being sent by the Website at any given time, in the following way:
in the address bar, click on the padlock icon on the left,
go to the „Cookies” tab.
- in the address bar, click on the shield icon on the left,
- go to the „Allowed” or „Blocked” tab,
- click on the box „Tracking cookies between sites”, „Social network tracking elements” or „Content with tracking elements”
- click on the „Tools” menu,
- go to the „Internet Options” tab,
- go to the „General” tab
- go to the „Settings” tab,
- click on the „Display files” field
- in the address bar, click on the padlock icon on the left,
- go to the „Cookies” tab.
- click on the „Preferences” menu,
- go to the „Privacy” tab,
- click on the „Manage site data” box
By default, most web browsers on the market accept the storing of cookies. You can determine the conditions for the use of cookies via the settings of your own browser. This means that you can, for example, partially restrict (e.g. temporarily) or completely disable the storage of cookies – in the latter case, however, this may affect certain functionalities of the Website.
Your browser’s settings regarding cookies are relevant for your consent to the use of cookies by our Website – in accordance with the regulations, such consent can also be given through your browser settings. Detailed information on how to change your cookie settings and how to delete them yourself in the most popular web browsers is available in the help section of your web browser and on the following pages (just click on the respective link):
- Chrome
- Firefox
- Internet Explorer
- Opera
- Safari
- Microsoft Edge
The Administrator may use on the Website the services Google Analytics, Google Tag Manager and Google Ads provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). These services help the Administrator to keep statistics and analyse traffic on the Website. The data collected is processed by the above services to generate statistics to help administer the Website and analyse Website traffic. These data are of an aggregate nature. When using these services on the Website, the Administrator collects data such as the source and medium of acquisition of visitors to the Website and their behaviour on the Website, information on the devices and browsers from which they visit the Website, IP and domain, geographical data and demographic data (age, gender) and interests.
It is possible for a person to easily block the provision of information to Google Analytics about their activities on the Website – for this purpose, for example, you can install a browser add-on provided by Google Ireland Ltd. available here.
In connection with the possibility of the Administrator to use advertising and analytical services provided by Google Irelantd Ltd. on the Website, the Administrator points out that full information on the principles of processing of data of visitors to the Website (including information stored in cookies) by Google Ireland Ltd. can be found in the privacy policy of Google services available at: https://policies.google.com/technologies/partner-sites.
8. Final provisions
The Website may contain links to other websites. The Administrator urges that when you go to other websites you should read the privacy policy established there. This privacy policy applies only to this Administrator’s Website and the personal data processed in connection with its use.