PERSONAL DATA PROCESSING POLICY
- Controller – Nextbike Polska S.A. with its registered seat in Warsaw, ul. Przasnyska 6b, 01-756 Warsaw.
- Mobile Application – mobile application available on mobile phones and portable devices, offered by the Controller for devices operating within Android and iOS systems.
- Personal data – all information about a natural person identified or identifiable by one or more specific factors determining a physical, physiological, genetic, psychological, economic, cultural or social identity, including IP of device, location data, internet identifier, information collected via cookies files and by means of another similar technology.
- Nextbike Group – companies belonging to the Nextbike group in the meaning of art. 4 point 14 of the Act of 16 February 2007 on protection of competition and consumers.
- Client – natural person, participant of the Bike System who has accepted Terms of Service and carried out registration in the Bike System as well as concluded Agreement with the Operator.
- Operator – entity realizing services related to maintenance of the Bike System.
- Terms of Service – document specifying the principles and conditions of use of the Bike System, in particular in the scope of the rights and obligations and the responsibility of persons availing of the services of the Bike System, the Operator of which is the Controller. Terms of Service shall be available at the following address otwockirower.pl/regulamin/.
- GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
- Service – internet service located at the address otwockirower.pl or available by means of Mobile Application through which the Controller provides services electronically to Users, in particular, the service consisting of facilitating the conduct of bike rentals.
- Bike System – Service Otwocki Rower Miejski realized according to the principles specified within the Terms of Service.
- Act – Act from 10 May 2018 on Personal Data Protection (Journal of Laws from 2018, item 1000).
- User – each natural person visiting the Service or availing of one of several services or functionalities, specified in the hereby Policy.
- Trusted Partner – entity cooperating with the Controller, whose marketing contents are directed by the Controller towards Clients and Users.
II. PROCESSING OF DATA IN RELATION TO THE USE OF THE SERVICE
- In relation to the use by the User of the Service, the Controller gathers data in the scope necessary for the provision of individual offered services as well as information on User activity in the Service. Detailed principles and purposes of the processing of Personal Data gathered during the use of Services by the User have been specified below.
III. PURPOSES AND LEGAL BASES FOR THE PROCESSING OF DATA IN THE SERVICE
USE OF SERVICE
- Personal data of all persons availing of the Service (including the IP address or other identifiers and information stored by means of the cookies files or other similar technologies), which are not registered Users (that is persons who do not have a set up profile within the Service), are processed by the Controller:
- in order to provide services electronically in the scope of making available to users the contents collected on the website – in such case the legal basis for processing is the necessity of processing in order to implement the agreement (article 6, paragraph 1(b) of the GDPR);
- for analytical and statistical purposes – in such case the legal basis for processing is the justified interest of the Controller (article 6, paragraph 1(f) of the GDPR), consisting of conducting the analysis of users’ activity, as well as their preferences in order to improve the used functionalities and provided services;
- in order to possibly determine and pursue claims or defend against them – the legal basis for the processing is justified interest of the Controller (article 6, paragraph 1(f) of GDPR), consisting of the protection of its rights;
- for marketing purposes of the Controller and other entities – rules for the processing of personal data for marketing purposes have been described in the “Marketing” section.
- The User’s activities in the Service, including their Personal data, are recorded in system logs (special computer programme intended for the storing of chronological record containing information about events and activities concerning the IT system used to provide services by the Controller). Information collected in the logs are processed mainly for the purposes associated with the provision of services. The Controller also processes them for technical and administrative purposes, in order to ensure the security of the IT system, as well as management of this system, and also for analytical and statistical purposes – in this scope the legal basis for processing is the legally justified interest of the Controller (article 6, paragraph 1(f) of the GDPR).
REGISTRATION IN THE SYSTEM PIOTRKOWSKI ROWER MIEJSKI
- Persons who carry out registration in the Bike System are asked to indicate data necessary for the creation and servicing of their account, which is administered by the Operator. Such data may be deleted at any time. Providing data marked as obligatory is required in order to set up and maintain the account, and failure to provide such data results in a lack of the possibility to set up such an account. Indication of the remaining data is voluntary.
- Personal data are processed:
- for the purpose of providing services related to the maintenance and servicing of an account within the Bike System – legal basis for the processing is the necessity to process data for the execution of agreement (art. 6 sec. 1 letter b of GDPR);
- fulfilling public-legal obligations resting on the Controller, above all, those stemming from the accounting provisions and tax provisions – the legal basis for the processing will be the necessity to fulfil legal obligations resting on the Controller (art. 6 sec. 1 letter c of GDPR);
- for analytical and statistical purposes – legal basis for the processing shall be the legally justified interest of the Controller (art. 6 sec. 1 letter f of GDPR), consisting of the conduct of analyses of User activities in the Service and the way the accounts are used, as well as User preferences for the purpose of improving the applied functionalities;
- ensuring the possibility of monitoring the locations at which bikes are rented or to which they are returned to in the Bike System or verification by means of GPS system where a given bike is located in case of lack of its return – legal basis for the processing shall be the legally justified interest of the Controller (art. 6 sec. 1 letter f of GDPR); legally justified interest of the Controller is the protection of material interest through gathering information which enable locating a given bike;
- in order to possibly determine and pursue claims or defend against them – the legal basis for processing is the justified interest of the Controller (art. 6 sec. 1 letter f of GDPR) consisting of the protection of its rights;
- for marketing purposes of the Controller and other entities – rules for the processing of Personal data for marketing purposes have been described in the MARKETING
- If a User places any sort of Personal data of other persons in the Service (including their first name, surname, address, telephone number or email address), they may do so solely under the condition of abiding by the provisions of the law and the rights of publicity to which these persons are entitled.
- The Controller provides the possibility of contacting him with the use of electronic contact forms. Using the form requires providing Personal data, necessary for establishing contact between the User and for replying to the inquiry. The User may also provide other data in order to facilitate contact or enable handling of the inquiry. Providing data marked as obligatory is required in order to receive and handle the inquiry, and failure to provide such data results in the lack of possibility to handle such inquiry. Indication of the remaining data is voluntary.
- Personal data are processed:
- for the purpose of identifying the sender and handling their submitted inquiry by means of the available form – the legal basis for the processing shall be the necessity of processing for the execution of agreement on provision of service (art. 6 sec. 1 letter b of GDPR); in the scope of data indicated voluntarily the legal basis for their processing shall be the consent (art. 6 sec. 1 letter a of GDPR)
- for analytical and statistical purposes – the legal basis for the processing shall be the legally justified interest of the Controller (art. 6 sec. 1 letter f of GDPR), consisting of the maintenance of statistics of inquiries submitted by Users by means of the Service for the purpose of improving its functionality.
- The Controller processes Personal Data of Users for the purpose of realizing marketing actions which consist of carrying out actions related to the direct marketing of goods and services (sending commercial information electronically and telemarketing actions).
- Personal data of Users may be used by the Controller in order to direct at them marketing content of entities from Nextbike Group as well as entities cooperating with the Controller on various channels, such as by means of an electronic post, including in the form of a newsletter, via text and MMS messages or via telephone. Such actions shall be undertaken by the Controller solely in case when the User has expressed consent which may be withdrawn by them at any time.
- The list of entities forming part of the Nextbike Group and entities cooperating with the Controller may be found in section “NEXTBIKE Group and entities cooperating with the Controller” of our Policy of Transparency.
- In order to realize marketing actions the Controller uses profiling in certain cases. This means that thanks to automated processing of data, the Controller performs an assessment of the selected factors concerning the Users in order to analyse their behaviours or create prognosis for the future. This allows for a better adjustment of the displayed content to the individual preferences and interests of Users.
V. SOCIAL MEDIA
- The Controller processes Personal data of the Users visiting the Controller’s profile accounts in the social media (Facebook, YouTube, Instagram, Twitter). Such data are processed only in connection with the running of a given profile, including to inform Users about the activity of the Controller and to promote various types of events, services and products. The legal basis for the processing of Personal data by the Controller for this purpose is his justified interest (article 6, sec. 1, letter f of GDPR), consisting of promoting his own brand.
VI. COOKIES FILES AND SIMILAR TECHNOLOGY
- Cookies are small text files installed on a device of User browsing the website. Cookies collect information that facilitate the use of a given website – e.g. through memorizing User’s visits in the Service and the activities carried out by them.
- cookies files with data entered by a given User (session identifier) for the duration of a given session (user input cookies);
- authentication cookies used for services requiring authentication for the duration of a given session (authentication cookies);
- cookies used to ensure security, e.g. used to detect abuses in the scope of authentication (user centric security cookies);
- session cookies for multimedia players (e.g. flash player cookies), for the duration of a given session (multimedia player session cookies);
- permanent cookies used to personalize User interface for the duration of a given session or a little longer (user interface customization cookies).
- The Controller and its trusted partners also apply cookies files for marketing purposes, such as pursuant to directing behavioural advertising towards Users. For this purpose, the Controller and its trusted partners store information or obtain access to information already stored in an end telecommunication device of a given User (computer, telephone, tablet etc.)
VII. LOCATION DATA
- The Controller processes personal data of Clients in the scope of location for the purpose of ensuring the possibility of control of location at which bikes were rented or to which they were returned within the Bike System with the use of GPS system or verification, where a bike is located in case of lack of its return – legal basis for the processing will be the legally justified interest of the Controller (art. 6 sec. 1 letter f of GDPR); legally justified interest of the Controller is the protection of material interest through gathering information which enable locating a bike,
VIII. ANALITICAL AND MARKETING TOOLS APPLIED BY THE CONTROLLER AND ITS PARTNERS
- Google Analytics cookies are the files which are used by Google in order to analyse how a User uses the website, to generate statistics and reports regarding the functioning of the Service. Google does not use the collected data to identify Users and it does not combine these information in order to allow identification. Detailed information about the scope and rules of data collection in connection with this service may be found at: https://www.google.com/intl/pl/policies/privacy/partners.
- Google Adwords is a tool which enables the measurement of efficiency of advertising campaigns realized by the Controller, allowing to analyse such data as, for instance, keywords or number of unique users. Google Adwords platform also allows for a display of our advertisements to person who visited our Service in the past. Information on the processing of data by Google in the scope of the above specified service are available at: https://policies.google.com/technologies/ads?hl=pl.
- Facebook pixels is a tool which enables measurement of the efficiency of advertising campaigns realized by the Controller on Facebook. This tool allows for an advanced data analysis for the purpose of optimizing actions of the Controller also with the use of other tools offered by Facebook. Detailed information on the subject of data processing by Facebook may be found at: https://pl-pl.facebook.com/help/443357099140264?helpref=about_content.
- The Service uses plug-ins to social media portals (Facebook, Google+, LinkedIn, Twitter). Plug-ins allow Users to disclose the content published in the Service in the selected social media. Application of plug-ins by the Service causes that a given social media obtains information on the use of Service by a given User and such information may be assigned to the profile of a given User, created in that social media portal. The Controller does not possess any knowledge regarding the purpose and scope of data gathering by social media portals. Detailed information on this topic may be found at the following links:
IX. MANAGING COOKIES SETTINGS
- No permission is required solely in case of cookies files the applying of which is necessary for the provision of telecommunication service (data transmission for the purpose of content display).
- Internet Explorer: https://support.microsoft.com/pl-pl/help/17442/windows-internet-explorer-delete-manage-cookies
- Mozilla Firefox: http://support.mozilla.org/pl/kb/ciasteczka
- Google Chrome: http://support.google.com/chrome/bin/answer.py?hl=pl&answer=95647
- Opera: http://help.opera.com/Windows/12.10/pl/cookies.html
- Safari: https://support.apple.com/kb/PH5042?locale=en-GB
- The User may verify the status of their current privacy settings at any time with regards to the used browser, by means of the tools available at:
X. PERIOD OF THE PERSONAL DATA PROCESSING
- The period of data processing by the Controller depends on the type of provided service and the purpose of processing. As a rule, data are processed for the period of provision of service or realization of order, until the time of withdrawal of the granted consent or submission of effective objection towards the processing of data in cases when the legal basis for the processing of data is the legally justified interest of the Controller.
- The data processing period may be extended in case, when the processing is necessary to establish or pursue potential claims or defend against claims, and after this period – only in the case and to the extent that it will be required by the provisions of law. After expiry of the processing period, the data are irreversibly deleted or anonymised.
XI. USER AUTHORIZATIONS
- The User shall be entitled to access the content of data and demand their amendment, removal, limiting of their processing, the right to transfer data and the right to submit an objection towards their processing as well as the right to submit a complaint to the supervisory body dealing with personal data protection.
- In the scope in which User data are processed pursuant to their consent, they may withdraw it at any time by contacting the Controller.
- The User is entitled to submit an objection against the processing of data for marketing purposes should such processing occur pursuant to the legally justified interest of the Controller, as well as – due to reasons related to a particular situation of a given User – in other cases when the legal basis for the processing of data is the legally justified interest of the Controller (i.e. in relation to the realization of analytical and statistical purposes).
- More information on the entitlements stemming from GDPR may be found within our Transparency Policy.
XII. DATA RECIPIENTS
- Pursuant to the realization of services, Personal data shall be disclosed to external entities, including in particular entities from Nextbike Group, entities cooperating with the Controller (the so called trusted partners), providers responsible for servicing IT systems, entities such as banks and payment operators, entities providing accounting services, marketing agencies (in the scope of marketing services).
- In case of obtaining consent from a User, their data may also be disclosed to other entities for their own purposes, including marketing purposes.
- The Controller reserves the right to disclose selected information regarding Users to competent authorities or third parties who will submit a request for providing such information in accordance with an appropriate legal basis and pursuant to the provisions of applicable law.
XIII. TRANSFER OF DATA OUTSIDE THE EEA
- The level of personal data protection outside the European Economic Area (EEA) differs from that provided by the European law. Due to that fact, the Controller transfers personal data outside the EEA only when it’s necessary and subject to ensuring an adequate level of protection, mainly through:
- cooperation with entities processing personal data in countries in regard to which an appropriate decision of the European Commission has been issued concerning ensuring adequate degree of personal data protection;
- use of standard contractual clauses issued by the European Commission;
- application of binding corporate rules approved by a competent supervisory authority;
- in the case of data transfer to the USA – cooperation with entities participating in the Privacy Shield program, Approved by the European Commission.
XIV. SECURITY OF PERSONAL DATA
- The Controller carries out on an ongoing basis market analysis for the purpose of ensuring that Personal data are processed by them in a safe manner – ensuring above all that access to data is granted solely to authorized persons and exclusively in the scope in which it is necessary, due to the tasks carried out by them. The Controller shall take steps to ensure that all operations on Personal data are registered and made solely by authorized employees and collaborators.
- The Controller also undertakes all necessary actions to ensure that its subcontractors and other cooperating entities provide guarantee of using appropriate security measures in every case, when they process personal data on behalf of the Controller.
XV. CONTACT DATA
- The Controller may be contacted by means of the following e-mail address [email protected], via contact form at nextbike.pl , via telephone, at 22 208 99 90 or in writing at the address of the seat of Nextbike Polska S.A.
- The Controller appointed Data Protection Officer, who may be contacted using the following
e-mail address: [email protected] regarding any matter concerning personal data processing.
- This policy is verified on an ongoing basis and it is updated if such a need occurs.
- The current version of this Policy was adopted on 28 August 2019.