PERSONAL DATA
- The Controller of the personal data collected, in particular through the website www.itaka.pl (Website) and mobile application (Application), is Nowa Itaka sp. z o.o. with its registered office in Opole 45-072, ul. Reymonta 39, entered into the Register of Entrepreneurs kept by the District Court in Opole, 8th Division of the National Court Register under No. 0000002269, Polish Tax Identification Number (NIP) 754-26-86-316, Polish National Business Register Number (REGON) 532179139, share capital PLN 3,315,000 Contact the Controller: phone no.: 77 5412 202, e-mail address: info@itaka.pl. The Controller of data is responsible for the security of the personal data transferred and for their processing in accordance with the provisions of the law.
- The Controller has appointed a Data Protection Officer (DPO), who can be contacted in matters related to the processing of personal data and the exercise of rights vested in the users in accordance with the provisions on the protection of personal data via e-mail: daneosobowe@itaka.pl
- Personal data is processed in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC and other currently applicable (i.e. for the entire period of processing specified data) provisions of the law on personal data protection.
- Each time the purpose and scope of data processed by the Controller result from the concluded agreement, consent of the Website user or mobile application, or legal regulations and are specified in detail as a result of actions taken by the user.
TABLE OF CONTENTS
- IF YOU BUY HOLIDAYS FROM US OR ARE A PARTICIPANT OF A GROUP TRIP
- IF YOU BUY A TRIP WITH US (E.G. HOTEL STAY WITH OWN TRANSPORT OR AIR TRANSPORT)
- IF YOU USE THE CAR RENTAL BOOKING SERVICE
- IF YOU LOG IN TO THE CUSTOMER ZONE
- IF YOU USE THE OFFER FORM
- IF YOU USE THE CONTACT FORM
- IF YOU CONTACT US BY PHONE OR EMAIL
- IF YOU USE OUR HOTLINE
- IF YOU USE THE ITAKA CHATBOT APP
- IF YOU SUBSCRIBE TO THE NEWSLETTER
- IF YOU USE OUR BLOG
- IF YOU USE ITAKA'S FANPAGE ON FACEBOOK
- IF YOU VISIT ITAKA'S PROFILE ON INSTAGRAM
- IF YOU VISIT ITAKA'S PAGE ON LINKEDIN
- IF YOU VISIT ITAKA'S TWITTER ACCOUNT
- DATA COLLECTED AUTOMATICALLY
- FINAL PROVISIONS
IF YOU BUY HOLIDAYS FROM US OR ARE A PARTICIPANT OF A GROUP TRIP
- The Controller processes personal data for the following purposes:
- Conclusion of an agreement for participation in a tourist event and its performance (also applies to the performance of other tourist services provided according to the customer's choice, in particular the service of visa mediation), including ensuring the correct quality of services (legal basis – Article 6 sec. 1 let. b of the GDPR) – “performance of the agreement”.
- Performance of the Controller's legal obligations, e.g. financial settlements and accounting reporting, including issuing and storing invoices (legal basis – Art. 6 sec. 1 let. c of the GDPR) – “legal obligation”.
- Claiming damages resulting from the agreement (legal basis – Art. 6 sec. 1 let. f of the GDPR) – “legitimate interest”. The deadlines for claiming damages resulting from the agreement are specified in detail in the Civil Code and the Act on tourist events and related tourist services.
- Improvement of the quality of services provided, including customer satisfaction surveys (legal basis – Art. 6 sec. 1 let. f of the GDPR) – “legitimate interest”.
- Sending marketing information (e.g. newsletter), where consent is given to the use of data for this purpose (legal basis – Art. 6 sec. 1 let. a of the GDPR) – “consent”.
- Direct marketing (products and services of the Controller and their partners), including personalization of marketing content (legal basis – Art. 6 sec. 1 let. f of the GDPR) - “legitimate interest”. The Controller may process personal data in order to prepare and present a customized offer for a tourist event. Such data will also be processed in an automated manner, however decisions taken will not have any legal effect on the customer.
- The Controller may process personal data in order to perform the agreement for participation in a tourist event, in particular:
- given name(s),
- surname,
- date of birth,
- gender,
- e-mail address,
- phone number,
- residence address,
- specimen of the signature,
- and data from identity card or passport necessary to perform the agreement (depending on the country of departure or offer) and to verify the identity of the customer, i.e. place of birth, citizenship, facial image, series and number of the document, authority issuing the document, date of issue and date of expiry of the document.
- Provision of personal data indicated above is voluntary, but necessary for the conclusion of the agreement and its performance. The consequence of a failure to provide personal data will be the impossibility of concluding and performing the agreement.
- To the extent necessary to conclude and perform the agreement for participation in a tourist event and to ensure the proper quality of services, the Controller may also process special categories of personal data (including data concerning health, e.g. disabled persons, persons with reduced mobility, persons requiring special medical care) if the data subject has given their explicit consent to the processing of such data for the indicated purpose (legal basis – Art. 9 sec. 2 let. a of the GDPR) – “consent”.
- The Controller has the right to process personal data for the period necessary to achieve the purposes specified in point 4. above. Depending on the legal basis, this will be accordingly:
- the time needed to perform the agreement (where the copy of an identity card or passport obtained for the purposes of the visa mediation service shall be erased immediately after obtaining the visa from the competent authorities responsible for issuing it),
- time of performing legal obligations and time period the legal regulations require data to be stored for, e.g. tax regulations,
- the time after which the claims resulting from the agreement expire,
- the time to object,
- the time until the withdrawal of consent.
- Subject to all data security guarantees, the Controller may transfer the personal data of the customer – apart from persons authorized by the data Controller – to other entities, including:
- entities processing data on behalf of the Controller, e.g. agents, technical service providers and entities providing consulting services,
- other Controllers to the extent necessary for the provision of services and legal requirements, e.g. electronic payment operators, couriers, carriers, insurers, hotel service providers, additional service providers (e.g. parking lots, airport services), local or national tourist chambers, contractors providing services for the Controller on the basis of concluded agreements.
- To the extent necessary for the proper performance of the agreement, the Controller may transfer data to countries outside the European Economic Area (EEA) which do not provide an adequate level of protection. However, the Controller shall ensure that the transfer is carried out in a secure, controlled manner and is secured by appropriate agreements with the recipients, meeting the conditions set out in Chapter V of the GDPR. The Controller may also transfer personal data to countries outside the EEA for which the European Commission has established that they offer an adequate level of protection.
- In connection with the processing of personal data by the Controller, the customer is entitled to:
- the right to access personal data,
- the right to rectify personal data,
- the right to delete personal data (the right to be forgotten),
- the right to limit the processing of personal data,
- the right to transfer data to another Controller,
- the right to withdraw consent if the Controller processes personal data of the customer based on consent at any time and in any way, without affecting the lawfulness of the processing carried out on the basis of consent prior to its withdrawal,
- the right to object to the processing of data if the basis for the processing is the legitimate interest of the Controller,
- the right to lodge a complaint with the Director of the Office for Personal Data Protection (Prezes Urzędu Ochrony Danych Osobowych), if the customer considers that the processing of personal data violates the provisions of the Regulation.
- In order to exercise the rights specified above, please contact the Controller via e-mail: daneosobowe@itaka.pl.
- The data of all persons mentioned in the booking confirmation/travel document were obtained by the Controller directly from the person who made the booking for the purpose of concluding an agreement on participation in a tourist event.
- The Customer concluding an agreement for participation in a tourist event with Nowa Itaka sp. z o.o. also does so on behalf of all the persons mentioned in the booking confirmation/travel document and thus assumes responsibility for informing them about the rules of personal data processing specified in this document by the Data Controller.
IF YOU BUY A TRIP WITH US (E.G. HOTEL STAY WITH OWN TRANSPORT OR AIR TRANSPORT)
- The Controller processes personal data for the following purposes:
- Provision of a service (including a service provided by electronic means) in terms of enabling the booking and purchase of individual travel services provided by any contractor of relevant services such as a hotel service provider or air carrier (legal basis – Art. 6(1)(b) of the GDPR) – "taking action at the request of an individual".
- Performance of the Controller's legal obligations, e.g. financial settlements and accounting reporting, including issuing and storing invoices (legal basis – Art. 6 (1)(c) of the GDPR) – “legal obligation”./li>
- Claiming damages resulting from the agreement (legal basis – Art. 6 (1)(f) of the GDPR) – “legitimate interest”. The deadlines for claiming damages resulting from the agreement are specified in detail in the Civil Code.
- Improvement of the quality of services provided, including customer satisfaction surveys (legal basis – Art. 6(1)(f) of the GDPR) – “legitimate interest”.
- Sending marketing information (e.g. newsletter), where consent is given to the use of data for this purpose (legal basis – Art. 6(1)(a) of the GDPR) – “consent”.
- Direct marketing (products and services of the Administrator and his partners), including personalization of marketing content (legal basis – Art. 6(1)(f) of the GDPR) – “legitimate interest”. The Controller may process personal data in order to prepare and present a customized offer for a tourist event. Such data will also be processed in an automated manner, however decisions taken will not have any legal effect on the customer.
- Provision of personal data indicated above is voluntary, but necessary for the conclusion of the agreement, including making a booking and purchasing travel services from any contractor of relevant services.
- Provision of data in order to receive marketing information through the selected communication channel (e.g. e-mail address, telephone number) is voluntary, but necessary to receive marketing information. The consequence of a failure to provide personal data will be the inability to receive marketing content.
- To the extent necessary for the conclusion and performance of the agreement for participation in a tourist event and for ensuring the proper quality of services (including complaint handling), the Controller may also process special categories of personal data (including data concerning health, e.g. in the case of disabled persons, persons with reduced mobility, persons requiring special medical care). By providing us with such information, you declare that you consent to its use for the aforementioned purpose (legal basis - Art. 9(2)(a) of the GDPR) – "consent".
- The Controller has the right to process personal data for the period necessary to achieve the purposes specified in point 1. above. Depending on the legal basis, this will be accordingly:
- the time needed to perform the agreement,
- time of performing legal obligations and time period the legal regulations require data to be stored for, e.g. tax regulations,
- the time after which the claims resulting from the agreement expire,
- the time to object,
- the time until the withdrawal of consent.
- Subject to all data security guarantees, the Controller may transfer the personal data of the customer – apart from persons authorized by the data Controller – to other entities, including:
- entities processing data on behalf of the Controller, e.g. agents, technical service providers and entities providing consulting services,
- other Controllers to the extent necessary for the provision of services and legal requirements, e.g. electronic payment operators, couriers, carriers, insurers, hotel service providers, additional service providers (e.g. parking lots, airport services), local or national tourist chambers, contractors providing services for the Controller on the basis of concluded agreements.
- To the extent necessary for the proper performance of the agreement, the Controller may transfer data to countries outside the European Economic Area (EEA) which do not provide an adequate level of protection. However, the Controller shall ensure that the transfer is carried out in a secure, controlled manner and is secured by appropriate agreements with the recipients, meeting the conditions set out in Chapter V of the GDPR. The Controller may also transfer personal data to countries outside the EEA for which the European Commission has established that they offer an adequate level of protection.
- In connection with the processing of personal data by the Controller, the customer is entitled to:
- the right to access personal data,
- the right to rectify personal data,
- the right to delete personal data (the right to be forgotten),
- the right to limit the processing of personal data,
- the right to transfer data to another Controller,
- the right to withdraw consent if the Controller processes personal data of the customer based on consent at any time and in any way, without affecting the lawfulness of the processing carried out on the basis of consent prior to its withdrawal,
- the right to object to the processing of data if the basis for the processing is the legitimate interest of the Controller,
- the right to lodge a complaint with the Director of the Office for Personal Data Protection (Prezes Urzędu Ochrony Danych Osobowych), if the customer considers that the processing of personal data violates the provisions of the Regulation.
- In order to exercise the rights specified above, please contact the Controller via e-mail: daneosobowe@itaka.pl.
- The identification data and contact details of all persons mentioned in the booking were obtained by the Controller directly from the person making the booking.
- The Customer concluding an agreement with Nowa Itaka sp. z o.o. also does so on behalf of all the persons mentioned in the agreement and thus assumes responsibility for informing them about the rules of personal data processing specified in this document by the Data Controller.
IF YOU USE THE CAR RENTAL BOOKING SERVICE
Detailed information on the processing of personal data collected in connection with the service is available on the dedicated website: https://samochody.itaka.pl/pl/privacy-and-policies.
IF YOU LOG IN TO THE CUSTOMER ZONE
- The Controller processes personal data for the following purposes:
- Conclusion of an agreement for the provision of services by electronic means (in accordance with the Act of 18 July 2002 on the provision of services by electronic means, Journal of Laws, No. 144, item 1204, as amended), including the registration and operation of a user account in the Customer Zone at www.itaka.pl and in a mobile application (legal basis – Art. 6 sec. 1 let. b of the GDPR) – “performance of the agreement”.
- Claiming damages resulting from the agreement (legal basis – Art. 6 sec. 1 let. f of the GDPR) – “legitimate interest”. The deadlines for claiming damages resulting from the agreement are specified in detail in the Civil Code.
- Sending marketing information (e.g. newsletter), where consent is given to the use of data for this purpose (legal basis – Art. 6 sec. 1 let. a of GDPR) – “consent”.
- Direct marketing (products and services of the Controller and their partners), including personalization of marketing content (legal basis – Art. 6 sec. 1 let. f of the GDPR) - “legitimate interest”. The Controller may process personal data in order to prepare and present a customized offer for a tourist event. Such data will also be processed in an automated manner, however decisions taken will not have any legal effect on the customer.
- Providing personal data is voluntary, however it is necessary to conclude an agreement, including registration and operation of a user account in the Customer Zone.
- The Controller has the right to process personal data for the period necessary to achieve the purposes specified above. Depending on the legal basis, this will be accordingly:
- the time needed to perform the agreement,
- time of performing legal obligations and time period the legal regulations require data to be stored for, e.g. tax regulations,
- the time after which the claims resulting from the agreement expire,
- the time to object,
- the time until the withdrawal of consent.
- Subject to all data security guarantees, the Controller may transfer the personal data of the user – apart from persons authorized by the data Controller – to other entities, including:
- entities processing data on behalf of the Controller, e.g. technical service providers and entities providing consulting services,
- other Controllers to the extent necessary for the implementation of services, on the basis of concluded agreements.
- To the extent necessary for the proper performance of the agreement, the Controller may transfer data to countries outside the European Economic Area (EEA) which do not provide an adequate level of protection. However, the Controller shall ensure that the transfer is carried out in a secure, controlled manner and is secured by appropriate agreements with the recipients, meeting the conditions set out in Chapter V of the GDPR. The Controller may also transfer personal data to countries outside the EEA for which the European Commission has established that they offer an adequate level of protection.
- In connection with the processing of personal data by the Controller, the user is entitled to:
- the right to access personal data,
- the right to rectify personal data,
- the right to delete personal data (the right to be forgotten),
- the right to limit the processing of personal data,
- the right to transfer data to another Controller,
- the right to withdraw consent if the Controller processes personal data of the user based on consent at any time and in any way, without affecting the lawfulness of the processing carried out on the basis of consent prior to its withdrawal,
- the right to object to the processing of data if the basis for the processing is the legitimate interest of the Controller,
- the right to lodge a complaint with the Director of the Office for Personal Data Protection (Prezes Urzędu Ochrony Danych Osobowych), if the user considers that the processing of personal data violates the provisions of the Regulation.
- In order to exercise the rights specified above, please contact the Controller via e-mail: daneosobowe@itaka.pl.
IF YOU USE THE OFFER FORM
- The Controller processes personal data for the purpose of:
- Processing the inquiry, i.e. presentation of an offer for participation in a tourist event (legal basis – Art. 6 sec. 1 let. b of the GDPR) – “taking action at the request of the data subject prior to the conclusion of the agreement”.
- Sending marketing information (e.g. newsletter), where consent is given to the use of data for this purpose (legal basis – Art. 6 sec. 1 let. a of the GDPR) – “consent”.
- Direct marketing (products and services of the Controller and their partners), including personalization of marketing content (legal basis – Art. 6 sec. 1 let. f of the GDPR) - “legitimate interest”. The Controller may process personal data in order to prepare and present a customized offer for a tourist event. Such data will also be processed in an automated manner, however decisions taken will not have any legal effect on the customer.
- The provision of data is voluntary, but necessary to process the inquiry, i.e. to present an offer for a tourist event. The consequence of a failure to provide the required personal data is the lack of possibility to send an offer to the user.
- The Controller has the right to process personal data for the period necessary to achieve the purposes specified above. Depending on the legal basis, this will be accordingly:
- time necessary to process the inquiry, i.e. prepare and present an offer and obtain a response from the customer, but not longer than 60 months from the date of sending the offer.
- the time to object,
- the time until the withdrawal of consent.
- Subject to all data security guarantees, the Controller may transfer the personal data of the user – apart from persons authorized by the data Controller – to other entities, including:
- entities processing data on behalf of the Controller, e.g. technical service providers and entities providing consulting services.
- other Controllers, to the extent necessary to provide answer the question asked.
- 5. The Controller may transfer data to countries outside the European Economic Area (EEA) which do not provide an adequate level of protection. However, the Controller shall ensure that the transfer is carried out in a secure, controlled manner and is secured by appropriate agreements with the recipients, meeting the conditions set out in Chapter V of the GDPR. The Controller may also transfer personal data to countries outside the EEA for which the European Commission has established that they offer an adequate level of protection.
- In connection with the processing of personal data by the Controller, the user is entitled to, respectively:
- the right to access personal data,
- the right to rectify personal data,
- the right to delete personal data (the right to be forgotten),
- the right to limit the processing of personal data,
- the right to transfer data to another Controller in cases in which the basis for the processing is the consent given,
- the right to withdraw consent if the Controller processes personal data of the customer based on consent at any time and in any way, without affecting the lawfulness of the processing carried out on the basis of consent prior to its withdrawal,
- the right to object to the processing of data if the basis for the processing is the legitimate interest of the Controller,
- the right to lodge a complaint with the Director of the Office for Personal Data Protection (Prezes Urzędu Ochrony Danych Osobowych), if the user considers that the processing of personal data violates the provisions of the Regulation.
- In order to exercise the rights specified above, please contact the Controller via e-mail: daneosobowe@itaka.pl.
IF YOU USE THE CONTACT FORM
- The Controller processes personal data for the purpose of:
- Answering questions asked with the use of the contact form (or e-mail and telephone address) available at www.itaka.pl and the mobile application (legal basis – Art. 6 sec. 1 let. f of the GDPR) – “legitimate interest”.
- Sending marketing information (e.g. newsletter), where consent is given to the use of data for this purpose (legal basis – Art. 6 sec. 1 let. a of the GDPR) – “consent”.
- Direct marketing (products and services of the Controller and their partners), including personalization of marketing content (legal basis – Art. 6 sec. 1 let. f of the GDPR) - “legitimate interest”. The Controller may process personal data in order to prepare and present a customized offer for a tourist event. Such data will also be processed in an automated manner, however decisions taken will not have any legal effect on the customer.
- Providing the data indicated in the contact form and in the mobile application is voluntary, but necessary to answer the question. The consequence of a failure to provide the required personal data is the lack of possibility to send a reply to the user.
- The Controller has the right to process personal data for the period necessary to achieve the purposes specified above. Depending on the legal basis, this will be accordingly:
- the period necessary for the implementation of the purpose indicated above, i.e. until the moment of answering the inquiry sent by the user,
- the time to object,
- the time until the withdrawal of consent.
- Subject to all data security guarantees, the Controller may transfer the personal data of the user – apart from persons authorized by the data Controller – to other entities, including:
- entities processing data on behalf of the Controller, e.g. technical service providers and entities providing consulting services,
- other Controllers, to the extent necessary to provide answer the question asked.
- The Controller may transfer data to countries outside the European Economic Area (EEA) which do not provide an adequate level of protection. However, the Controller shall ensure that the transfer is carried out in a secure, controlled manner and is secured by appropriate agreements with the recipients, meeting the conditions set out in Chapter V of the GDPR. The Controller may also transfer personal data to countries outside the EEA for which the European Commission has established that they offer an adequate level of protection.
- In connection with the processing of personal data by the Controller, the user is entitled to:
- the right to access personal data,
- the right to rectify personal data,
- the right to delete personal data (the right to be forgotten),
- the right to limit the processing of personal data,
- the right to transfer data to another Controller in cases in which the basis for the processing is the consent given,
- the right to withdraw consent if the Controller processes personal data of the customer based on consent at any time and in any way, without affecting the lawfulness of the processing carried out on the basis of consent prior to its withdrawal,
- the right to object to the processing of data if the basis for the processing is the legitimate interest of the Controller,
- the right to lodge a complaint with the Director of the Office for Personal Data Protection (Prezes Urzędu Ochrony Danych Osobowych), if the user considers that the processing of personal data violates the provisions of the Regulation.
- In order to exercise the rights specified above, please contact the Controller via e-mail: daneosobowe@itaka.pl.
IF YOU CONTACT US BY PHONE OR EMAIL
- The Administrator processes personal data for the purpose and to the extent necessary for the proper handling of an application and an inquiry, including maintaining communication and answering questions asked via the contact telephone number and email address made available on the Website (legal basis – Art. 6(1)(f) of the GDPR) – "legitimate interest". By providing us with information constituting special categories of data (e.g. health information), you declare that you consent to its use for the proper handling of your application and the processing of your inquiry (legal basis – Art. 9(2)(a) of the GDPR) – "consent".
- The withdrawal of consent can be made in particular by contacting the Administrator or the DPO (via the contact details provided above). The withdrawal of consent does not affect the lawfulness of data use during the period in which the consent was valid.
- Providing data is voluntary, but it is necessary for answering the submitted question or for proper handling of an application and inquiry, including receipt of complaints. The consequence of failing to provide personal data may be our inability to answer a question or handle an inquiry.
- The Controller has the right to process personal data for the period necessary to achieve the purposes specified above. Depending on the legal basis, this will be accordingly:
- the period of time necessary to handle the inquiry, including answering the question submitted by the user,
- time until withdrawal of consent (including withdrawal of consent to process special categories of data).
- Subject to all data security guarantees, the Controller may transfer the personal data of the user – apart from persons authorized by the data Controller – to other entities, including:
- entities processing data on behalf of the Controller, e.g. technical service providers and entities providing consulting services,
- other Controllers, to the extent necessary to answer the question submitted, including handling of complaints.
- The Controller may transfer data to countries outside the European Economic Area (EEA) which do not provide an adequate level of protection. However, the Controller shall ensure that the transfer is carried out in a secure, controlled manner and is secured by appropriate agreements with the recipients, meeting the conditions set out in Chapter V of the GDPR. The Controller may also transfer personal data to countries outside the EEA for which the European Commission has established that they offer an adequate level of protection.
- In connection with the processing of personal data by the Controller, the user is entitled to:
- the right to access personal data,
- the right to rectify personal data,
- the right to delete personal data (the right to be forgotten),
- the right to limit the processing of personal data,
- the right to transfer data to another Controller in cases in which the basis for the processing is the consent given,
- the right to withdraw consent if the Controller processes personal data of the customer based on consent at any time and in any way, without affecting the lawfulness of the processing carried out on the basis of consent prior to its withdrawal,
- the right to object to the processing of data if the basis for the processing is the legitimate interest of the Controller,
- the right to lodge a complaint with the Director of the Office for Personal Data Protection (Prezes Urzędu Ochrony Danych Osobowych), if the user considers that the processing of personal data violates the provisions of the Regulation.
- In order to exercise the rights specified above, please contact the Controller via the email address: daneosobowe@itaka.pl.
IF YOU USE OUR HOTLINE
- The Controller processes personal data in order to process requests made via the Hotline telephone service, the contact numbers of which are available on the website www.itaka.pl and in the mobile app, including:
- Answering questions asked during phone calls (legal basis - Art. 6 sec. 1 let. f of the GDPR) – “legitimate interest”.
- Collection and use of personal data obtained through a call recording system for the purpose of verification of the correctness of the services provided (legal basis - Art. 6 sec. 1 let. f of the GDPR) – “legitimate interest”.
- Establishing, pursuing or defending claims - for the duration of proceedings and the statute of limitations for potential claims. The legal basis is the realization of the Controller's legitimate interest (legal basis - Art. 6 sec. 1 let. f of the GDPR) – “legitimate interest”.
- Sending marketing information (e.g. newsletter), where consent is given to the use of data for this purpose (legal basis – Art. 6 sec. 1 let. a of the GDPR) – “consent”.
- Direct marketing (products and services of the Controller and their partners), including personalization of marketing content (legal basis – Art. 6 sec. 1 let. f of the GDPR) - “legitimate interest”. The Controller may process personal data in order to prepare and present a customized offer for a tourist event. Such data will also be processed in an automated manner, however decisions taken will not have any legal effect on the customer.
- The Controller of data is responsible for the security of the personal data provided during phone calls and for their processing in accordance with the provisions of the law.
- Records from call recording systems will be stored for no longer than three months from the date of recording. If a recording constitutes evidence in proceedings conducted under the law, or the Controller has become aware that it may constitute evidence in proceedings, this period shall be extended until the proceedings are finally concluded. After these periods, recordings containing personal data shall be destroyed.
- The Controller has the right to process personal data for the period necessary to achieve the purposes specified above. Depending on the legal basis, this will be accordingly:
- the period necessary for the implementation of the purpose indicated above, i.e. until the moment of answering the inquiry made by the user,
- the time to object,
- the time until the withdrawal of consent.
- Subject to all data security guarantees, the Controller may transfer the personal data of the user – apart from persons authorized by the data Controller – to other entities, including:
- entities processing data on behalf of the Controller, e.g. technical service providers and entities providing consulting services,
- other Controllers, to the extent necessary to provide answer the question asked.
- The Controller may transfer data to countries outside the European Economic Area (EEA) which do not provide an adequate level of protection. However, the Controller shall ensure that the transfer is carried out in a secure, controlled manner and is secured by appropriate agreements with the recipients, meeting the conditions set out in Chapter V of the GDPR. The Controller may also transfer personal data to countries outside the EEA for which the European Commission has established that they offer an adequate level of protection.
- In connection with the processing of personal data by the Controller, the user is entitled to:
- the right to access personal data,
- the right to rectify personal data,
- the right to delete personal data (the right to be forgotten),
- the right to limit the processing of personal data,
- the right to transfer data to another Controller in cases in which the basis for the processing is the consent given,
- the right to withdraw consent if the Controller processes personal data of the customer based on consent at any time and in any way, without affecting the lawfulness of the processing carried out on the basis of consent prior to its withdrawal,
- the right to object to the processing of data if the basis for the processing is the legitimate interest of the Controller,
- the right to lodge a complaint with the Director of the Office for Personal Data Protection (Prezes Urzędu Ochrony Danych Osobowych), if the user considers that the processing of personal data violates the provisions of the Regulation
- In order to exercise the rights specified above, please contact the Controller via e-mail: daneosobowe@itaka.pl.
IF YOU USE THE ITAKA CHATBOT APP
- The Controller processes personal data for the purpose of:
- Answering questions asked with the use of the ITAKA Chatbot software available in Messenger application (legal basis – Art. 6 sec. 1 let. f of the GDPR) – “legitimate interest”.
- Processing the inquiry, i.e. presentation of an offer for a tourist event (legal basis – Art. 6 sec. 1 let. b of the GDPR) – “taking action at the request of the data subject prior to the conclusion of the agreement”.
- Sending marketing information (e.g. newsletter), where consent is given to the use of data for this purpose (legal basis – Art. 6 sec. 1 let. a of the GDPR) – “consent”.
- Direct marketing (products and services of the Controller and their partners), including personalization of marketing content (legal basis – Art. 6 sec. 1 let. f of the GDPR) - “legitimate interest”. The Controller may process personal data in order to prepare and present a customized offer for a tourist event. Such data will also be processed in an automated manner, however decisions taken will not have any legal effect on the customer.
- In order to contact the Controller, i.e. to use the ITAKA Chatbot software, the user of the Messenger application provides personal data, in particular their name and other data (in accordance with the rights specified by the user in the application settings). The provision of data is voluntary, but necessary to make contact and obtain answer to a question asked.
- The Controller processes personal data of the user in order to process the inquiry. Provision of data is voluntary, but necessary to process the inquiry, i.e. to present an offer for a tourist event. The consequence of a failure to provide the required personal data is the lack of possibility to send an offer to the user.
- The Controller has the right to process personal data for the period necessary to achieve the purposes specified above. Depending on the legal basis, this will be accordingly:
- time necessary to process the inquiry, i.e. prepare and present an offer and obtain a response from the customer, but not longer than 60 months from the date of sending the offer
- the time to object,
- the time until the withdrawal of consent.
- Subject to all data security guarantees, the Controller may transfer the personal data of the user – apart from persons authorized by the data Controller – to other entities, including:
- entities processing data on behalf of the Controller, e.g. technical service providers and entities providing consulting services,
- other Controllers to the extent necessary for the implementation of services, on the basis of concluded agreements.
- The Controller may transfer data to countries outside the European Economic Area (EEA) which do not provide an adequate level of protection. However, the Controller shall ensure that the transfer is carried out in a secure, controlled manner and is secured by appropriate agreements with the recipients, meeting the conditions set out in Chapter V of the GDPR. The Controller may also transfer personal data to countries outside the EEA for which the European Commission has established that they offer an adequate level of protection.
- In connection with the processing of personal data by the Controller, the user is entitled to:
- the right to access personal data,
- the right to rectify personal data,
- the right to delete personal data (the right to be forgotten),
- the right to limit the processing of personal data,
- the right to transfer data to another Controller in cases in which the basis for the processing is the consent given,
- the right to withdraw consent if the Controller processes personal data of the customer based on consent at any time and in any way, without affecting the lawfulness of the processing carried out on the basis of consent prior to its withdrawal,
- the right to object to the processing of data if the basis for the processing is the legitimate interest of the Controller,
- the right to lodge a complaint with the Director of the Office for Personal Data Protection (Prezes Urzędu Ochrony Danych Osobowych), if the user considers that the processing of personal data violates the provisions of the Regulation
- In order to exercise the rights specified above, please contact the Controller via e-mail: daneosobowe@itaka.pl.
IF YOU SUBSCRIBE TO THE NEWSLETTER
- The Controller processes personal data for the purpose of:
- Providing marketing information to persons interested in the Controller's offer by means of a newsletter (legal basis – Art. 6 sec. 1 let a of the GDPR) – "consent".
- Direct marketing (products and services of the Controller and their partners), including personalization of marketing content (legal basis – Art. 6 sec. 1 let. f of the GDPR) - “legitimate interest”. The Controller may process personal data in order to prepare and present a customized offer for a tourist event. Such data will also be processed in an automated manner, however decisions taken will not have any legal effect on the customer.
- The provision of data is voluntary, but necessary to receive marketing information. The consequence of a failure to provide the required personal data is the lack of possibility to send a newsletter to the user.
- A user using a newsletter may at any time and without giving any reason, resign from receiving it, in particular by clicking on the deactivation link contained in each e-mail sent to the user or by sending correspondence to the following address: info@itaka.pl.
- The Controller has the right to process personal data for the period necessary to achieve the purposes specified above. Depending on the legal basis, this will be accordingly:
- the time until the withdrawal of consent,
- the time to object.
- The Controller may transfer the personal data of the user – apart from persons authorized by the data Controller – to other entities, including:
- entities processing data on behalf of the Controller, e.g. technical service providers and entities providing consulting services,
- other Controllers to the extent necessary for the implementation of services and legal requirements, on the basis of concluded agreements.
- The Controller may transfer data to countries outside the European Economic Area (EEA) which do not provide an adequate level of protection. However, the Controller shall ensure that the transfer is carried out in a secure, controlled manner and is secured by appropriate agreements with the recipients, meeting the conditions set out in Chapter V of the GDPR. The Controller may also transfer personal data to countries outside the EEA for which the European Commission has established that they offer an adequate level of protection.
- In connection with the processing of personal data by the Controller, the user is entitled to:
- the right to access personal data,
- the right to rectify personal data,
- the right to delete personal data (the right to be forgotten),
- the right to limit the processing of personal data,
- the right to transfer data to another Controller in cases in which the basis for the processing is the consent given,
- the right to withdraw consent if the Controller processes personal data of the customer based on consent at any time and in any way, without affecting the lawfulness of the processing carried out on the basis of consent prior to its withdrawal,
- the right to object to the processing of data if the basis for the processing is the legitimate interest of the Controller,
- the right to lodge a complaint with the Director of the Office for Personal Data Protection (Prezes Urzędu Ochrony Danych Osobowych), if the user considers that the processing of personal data violates the provisions of the Regulation.
- In order to exercise the rights specified above, please contact the Controller via e-mail: daneosobowe@itaka.pl.
IF YOU USE OUR BLOG
- The Controller processes personal data in order to enable the user to exchange information, including adding comments on the Controller's blog, and to answer questions of the user (legal basis – Art. 6 set. 1 let. f of the GDPR) – “legitimate interest”.
- The provision of data is voluntary, but necessary to use the blog. The consequence of failure to provide the required personal data is the inability to register and exchange information, including adding comments on the Controller's blog.
- The Controller has the right to process personal data until an objection is expressed by the user.
- The Controller may transfer the personal data of the user – apart from persons authorized by the data Controller – to other entities, including:
- entities processing data on behalf of the Controller, e.g. technical service providers and entities providing consulting services,
- other Controllers to the extent necessary for the implementation of services and legal requirements, on the basis of concluded agreements.
- The Controller may transfer data to countries outside the European Economic Area (EEA) which do not provide an adequate level of protection. However, the Controller shall ensure that the transfer is carried out in a secure, controlled manner and is secured by appropriate agreements with the recipients, meeting the conditions set out in Chapter V of the GDPR. The Controller may also transfer personal data to countries outside the EEA for which the European Commission has established that they offer an adequate level of protection.
- In connection with the processing of personal data by the Controller, the user is entitled to:
- the right to access personal data,
- the right to rectify personal data,
- the right to delete personal data (the right to be forgotten),
- the right to limit the processing of personal data,
- the right to transfer data to another Controller in cases in which the basis for the processing is the consent given,
- the right to withdraw consent if the Controller processes personal data of the customer based on consent at any time and in any way, without affecting the lawfulness of the processing carried out on the basis of consent prior to its withdrawal,
- the right to object to the processing of data if the basis for the processing is the legitimate interest of the Controller,
- the right to lodge a complaint with the Director of the Office for Personal Data Protection (Prezes Urzędu Ochrony Danych Osobowych), if the user considers that the processing of personal data violates the provisions of the Regulation.
- In order to exercise the rights specified above, please contact the Controller via e-mail: daneosobowe@itaka.pl.
IF YOU USE ITAKA'S FANPAGE ON FACEBOOK
- Nowa Itaka sp. z o.o. is the Controller of personal data of users using the products and services offered by Facebook who visit the Controller's website, available at https://www.facebook.com/itakapl (hereinafter referred to as the Fanpage). The Controller is responsible for the security of the personal data transferred and for their processing in accordance with the provisions of the law.
- The Controller processes personal data of users who, using Facebook products and services, visit the Fanpage. These data is processed:
- in connection with the Fanpage, including for the purpose of promoting the Controller's own brand (legal basis - Art. 6 sec. 1 let. f of the GDPR) - “legitimate interest”;
- to answer questions asked via Messenger or other Facebook services (legal basis - Art. 6 sec. 1 let. f of the GDPR) – “legitimate interest”; where specific categories of data (e.g. health information) are provided in the content of the question, the user is deemed to have given consent to the use of the data by the Controller (legal basis - Art. 9 sec. 2 let. a of the GDPR) - “consent”;
- The Controller has the right to process:
- publicly available personal data (such as a username, profile picture, Facebook or Messenger activity status), the content of comments and other information made publicly available by the user using Facebook products and services,
- personal data provided by the user visiting the Fanpage, including the collection of information made available in the user's profile and other content, comments, messages and notifications (e.g. photos, contact details, place of residence, information about interests or worldviews),
- other personal data provided by users in messages using Messenger or other Facebook services (including contact and health information) in order to respond to an inquiry or to process a contact request.
- The scope of the processing of personal data, the specific purposes and the rights and obligations of the user using Facebook products and services are directly governed by Facebook's Terms of Service (available at: https://www.facebook.com/legal/terms) and the "Data Policy” (the document is available at https://www.facebook.com/policy) or provisions of law and are specified as a result of actions taken by a user on Facebook.
- The Controller has the right to process personal data for the period necessary to achieve the purposes specified above. Depending on the legal basis, this will be accordingly:
- the time until the objection is expressed (or the Facebook user account is deleted),
- the time until the withdrawal of consent (or deletion of the Facebook user account); the withdrawal of consent does not affect the lawfulness of data processing during the period when the consent was valid;
- the time period required to process an inquiry sent by the user via Messenger or other Facebook services.
- The directory of recipients of the personal data processed by the Controller results primarily from the scope of products and services used by the Facebook user, but also from the user's consent or the provisions of law. With all guarantees of data security, the Controller may transfer the personal data of the user visiting the Fanpage – in addition to the persons authorized by the Data Controller – to other entities, including entities processing the data on behalf of the Controller, e.g. providers of technical services and entities providing consulting services (including law firms) and contractors providing services to the Controller on the basis of concluded agreements.
- The Controller shall not transfer personal data of the user using Facebook products and services to countries outside the European Economic Area (to countries other than EU countries and Iceland, Norway and Liechtenstein).
- The Controller may process personal data of users using Facebook products and services who visit the Fanpage in order to analyze their use of the Controller's website and related content (page insights) - where users' use of the Fanpage and related content triggers the creation of an event for page insights that involves the processing of personal data (legal basis - Art. 6 sec. 1 let. f of the GDPR) - “legitimate interest”.
- In the case of personal data processed for the purpose of page insights regarding the user's activities on the Fanpage (including following or unfollowing the page, recommending the page in a post or comment, liking the page or a post, cancelling the liking), Nowa Itaka and Facebook Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) are the joint Controllers of the users' personal data. The types of data and the scope of its processing as well as the privacy policy and users' rights are specified in detail:
- in this document,
- in the document "Data Policy", published on the Facebook page at https://www.facebook.com/policy.
- The responsibility to notify the users of the Facebook products and services of the processing of data for the purposes of page insights and to allow them to exercise their rights in accordance with the GDPR is borne by Facebook (information about the data used to create the page insights was made available on the Facebook page at: https://www.facebook.com/legal/terms/information_about_page_insights _data).
- The Facebook Data Protection Officer can be contacted via the form that was made available on the Facebook page at https://www.facebook.com/help/contact/540977946302970.
IF YOU VISIT ITAKA'S PROFILE ON INSTAGRAM
- Nowa Itaka sp. z o.o. is the Controller of personal data of users using the products and services offered by Facebook on Instagram who visit the Controller's website, available at https://www.instagram.com/itakapl (hereinafter referred to as the Fanpage). The Controller is responsible for the security of the personal data transferred and for their processing in accordance with the provisions of the law.
- The Controller processes personal data of users who, using Instagram products and services, visit the Fanpage. These data is processed:
- in connection with the Fanpage, including for the purpose of promoting the Controller's own brand (legal basis - Art. 6 sec. 1 let. f of the GDPR) - “legitimate interest”;
- to answer questions asked via Instagram (legal basis - Art. 6 sec. 1 let. f of the GDPR) – “legitimate interest”; where specific categories of data (e.g. health information) are provided in the content of the question, the user is deemed to have given consent to the use of the data by the Controller (legal basis - Art. 9 sec. 2 let. a of the GDPR) - “consent”;
- The Controller has the right to process:
- publicly available personal data (such as a username, profile picture, Instagram activity status), the content of comments and other information made publicly available by the user using Instagram products and services,
- personal data provided by the user visiting the Fanpage, including the collection of information made available in the user's profile and other content, comments, messages and notifications (e.g. photos, contact details, place of residence, information about interests or worldviews),
- other personal data provided by users in messages using Instagram or other Facebook services (including contact and health information) in order to respond to an inquiry or to process a contact request.
- The scope of the processing of personal data, the specific purposes and the rights and obligations of the user using Instagram products and services are directly governed by:
- Instagram's Terms of Service (available at: https://help.instagram.com/581066165581870) and
- "Data Policy” (the document is available at https://help.instagram.com/519522125107875) or
- provisions of law and are specified as a result of actions taken by a user on Instagram.
- The Controller has the right to process personal data for the period necessary to achieve the purposes specified above. Depending on the legal basis, this will be accordingly:
- the time until the objection is expressed (or the Instagram user account is deleted),
- the time until the withdrawal of consent (or deletion of the Instagram user account); the withdrawal of consent does not affect the lawfulness of data processing during the period when the consent was valid,
- the time period required to process an inquiry sent by the user via Instagram or other Facebook services.
- The directory of recipients of the personal data processed by the Controller results primarily from the scope of products and services used by the Instagram user, but also from the user's consent or the provisions of law. With all guarantees of data security, the Controller may transfer the personal data of the user visiting the Fanpage – in addition to the persons authorized by the Data Controller – to other entities, including entities processing the data on behalf of the Controller, e.g. providers of technical services and entities providing consulting services (including law firms) and contractors providing services to the Controller on the basis of concluded agreements.
- The Controller shall not transfer personal data of the user using Instagram products and services to countries outside the European Economic Area (to countries other than EU countries and Iceland, Norway, and Liechtenstein).
- The Controller may process personal data of users using Instagram products and services who visit the Fanpage in order to analyze their use of the Controller's website and related content (page insights) – where users' use of the Fanpage and related content triggers the creation of an event for page insights that involves the processing of personal data (legal basis - Art. 6 sec. 1 let. f of the GDPR) - “legitimate interest”.
- In the case of personal data processed for the purpose of page insights regarding the user's activities on the Fanpage (including following or unfollowing the page, recommending the page in a post or comment, liking the page or a post, cancelling the liking), Nowa Itaka and Facebook Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) are the joint Controllers of the users' personal data. The types of data and the scope of its processing as well as the privacy policy and users' rights are specified in detail:
- in this document,
- in the document "Data Policy", published on the Facebook page at https://www.facebook.com/policy,
- in the document “Information about Page Insights Data”, published on Facebook page at https://www.facebook.com/legal/terms/page_controller_addendum.
- The responsibility to notify the users of the Instagram products and services of the processing of data for the purposes of page insights and to allow them to exercise their rights in accordance with the GDPR is borne by Facebook (information about the data used to create the page insights was made available on the Facebook page at: https://www.facebook.com/legal/terms/information_about_page_insights_data).
- The Facebook Data Protection Officer can be contacted via the form that was made available on the Facebook page at https://www.facebook.com/help/contact/540977946302970.
IF YOU VISIT ITAKA'S PAGE ON LINKEDIN
- Nowa Itaka sp. z o.o. is the Controller of personal data of users using the products and services offered by LinkedIn, who visit the Controller's page, available at https://pl.linkedin.com/company/nowa-itaka-sp-z-o-o- (Page). As the Controller, Nowa Itaka sp. z o.o. is responsible for the security of the personal data transferred and for their processing in accordance with the provisions of the law.
- The Controller processes personal data of users who, using LinkedIn products and services, visit the Page. These data is processed:
- in connection with the operation of the Page, including the promotion of the Controller's own brand (legal basis – Art. 6(1)(f) of the GDPR) – "legitimate interest";
- for the purpose of answering the questions asked via LinkedIn services (legal basis – Art. 6(1)(f) of the GDPR) – "legitimate interest"; in the case of provision of special categories of data (e.g. health information), the user declares that they consent to their processing for the purpose of the proper handling of an application and an inquiry, including communication and answering questions (legal basis – Art. 9(2)(a) of the GDPR) – "consent".
- The Controller has the right to process:
- publicly available personal data (such as a username, profile picture, LinkedIn activity status), the content of comments and other information made publicly available by the user using LinkedIn products and services,
- personal data provided by the user visiting the Page, including to collect the information made available in the user's profile and other content, comments, messages and notifications (e.g. photos, contact details, place of work, place of residence, information about education, interests or worldviews),
- other personal data provided by users in messages sent using LinkedIn services (including contact and health information)
in order to respond to an inquiry or to process a contact request.
- The scope of the processing of personal data, the specific purposes and the rights and obligations of the user using LinkedIn products and services are directly governed by:
- LinkedIn User Agreement (available at: https://pl.linkedin.com/legal/user-agreement) and
- Privacy Policy (available on LinkedIn at: https://pl.linkedin.com/legal/privacy-policy) or
- provisions of law
- and are specified as a result of actions taken by the user on LinkedIn.
- The Controller has the right to process personal data for the period necessary to achieve the purposes specified above. Depending on the legal basis, this will be accordingly:
- the time until the objection is expressed (or the LinkedIn user account is deleted),
- the time until the consent is withdrawn (or the LinkedIn user account is deleted), The withdrawal of consent does not affect the lawfulness of data processing during the period in which the consent was valid.
- the time period required to process an inquiry sent by the user via LinkedIn services.
- The directory of recipients of the personal data processed by the Controller results primarily from the scope of products and services used by the LinkedIn user, but also from the user's consent or the provisions of law. Subject to all data security guarantees, the Controller may transfer the personal data of the user visiting the Page – in addition to the persons authorized by the Controller – to other entities, including entities processing the data on behalf of the Controller, e.g. providers of technical services and entities providing consulting services (including law firms) and contractors providing services to the Controller on the basis of concluded agreements.
- The Controller shall not transfer personal data of the user using LinkedIn products and services to countries outside the European Economic Area (to countries other than EU countries and Iceland, Norway and Liechtenstein).
- The Controller may process personal data of users using LinkedIn products and services who visit the Page in order to analyze their use of the Controller's website and related content (page insights) – where users' use of the Page and related content triggers the creation of an event for page insights that involves the processing of personal data (legal basis - Art. 6(1)(f) of the GDPR) – “legitimate interest”.
- In the case of personal data processed for the purpose of page insights regarding the user's activity on the Page (including following or unfollowing the page, recommending the page in a post or comment), Nowa Itaka and LinkedIn Ireland Unlimited Company (Wilton Place, Dublin 2, Ireland) are the joint Controllers of the users' personal data. The types of data and the scope of its processing as well as the privacy policy and users' rights are specified in detail:
- in this document,
- in the "Privacy Policy" document published on the LinkedIn website at: https://pl.linkedin.com/legal/privacy-policy,
- in the "Page Insights Joint Controller Addendum" document, published on the LinkedIn website at:
- https://legal.linkedin.com/pages-joint-controller-addendum.
- The responsibility to notify the users of the LinkedIn products and services of the processing of data for the purposes of page insights and to allow them to exercise their rights in accordance with the GDPR is borne by LinkedIn (information about the data used to create the page insights was made available on LinkedIn at: https://pl.linkedin.com/legal/privacy-policy).
- The LinkedIn Data Protection Officer can be contacted via the form that was made available on LinkedIn at: https://www.linkedin.com/help/linkedin/ask/TSO-DPO.
IF YOU VISIT ITAKA'S TWITTER ACCOUNT
- Nowa Itaka sp. z o.o. is the Controller of personal data of users using the products and services offered by Twitter who visit the Controller's website, available at: https://twitter.com/wwwitakapl (Account). As the Controller, Nowa Itaka sp. z o.o. is responsible for the security of the personal data transferred and for their processing in accordance with the provisions of the law.
- The Controller processes personal data of users who, using Twitter products and services, visit the Account. These data is processed:
- in connection with the operation of the Account, including the promotion of the Controller's own brand (legal basis – Art. 6(1)(f) of the GDPR) – "legitimate interest";
- for the purpose of answering the questions asked via Twitter services (legal basis – Art. 6(1)(f) of the GDPR) – "legitimate interest"; in the case of provision of special categories of data (e.g. health information), the user declares that they consent to their processing for the purpose of the proper handling of an application and an inquiry, including communication and answering questions (legal basis – Art. 9(2)(a) of the GDPR) – "consent".
- The Controller has the right to process:
- publicly available personal data (such as a username, profile picture, Twitter activity status), the content of comments and other information made publicly available by the user using Twitter products and services,
- personal data provided by the user visiting the Account, including to collect the information made available in the user's profile and other content, comments, messages and notifications (e.g. photos, contact details, information about interests or worldviews),
- other personal data provided by users in messages sent using Twitter services (including contact and health information) in order to respond to an inquiry or to process a contact request.
- The scope of the processing of personal data, the specific purposes and the rights and obligations of the user using Twitter products and services are directly governed by:
- Twitter Rules (available at: https://help.twitter.com/pl/rules-and-policies/twitter-rules) and
- Twitter Privacy Policy (available at: https://twitter.com/en/privacy) or
- provisions of law
- and are specified as a result of actions taken by the user on Twitter.
- The Controller has the right to process personal data for the period necessary to achieve the purposes specified above. Depending on the legal basis, this will be accordingly:
- the time until the objection is expressed (or the Twitter user account is deleted),
- the time until the consent is withdrawn (or the Twitter user account is deleted), The withdrawal of consent does not affect the lawfulness of data processing during the period in which the consent was valid.
- the time period required to process an inquiry sent by the user via Twitter services.
- The directory of recipients of the personal data processed by the Controller results primarily from the scope of products and services used by the Twitter user, but also from the user's consent or the provisions of law. Subject to all data security guarantees, the Controller may transfer the personal data of the user visiting the Account – in addition to the persons authorized by the Data Controller – to other entities, including entities processing the data on behalf of the Controller, e.g. providers of technical services and entities providing consulting services (including law firms) and contractors providing services to the Controller on the basis of concluded agreements.
- The Controller shall not transfer personal data of the user using Twitter products and services to countries outside the European Economic Area (to countries other than EU countries and Iceland, Norway and Liechtenstein).
- The Controller may process personal data of users using Twitter products and services who visit the Account in order to analyze their use of the Controller's website and related content (page insights) – where users' use of the Account and related content triggers the creation of an event for page insights that involves the processing of personal data (legal basis – Art. 6(1)(f) of the GDPR) - “legitimate interest”.
- In the case of personal data processed for the purpose of page insights regarding the user's activity on the Account (including following or unfollowing the Account, recommending the Account), Nowa Itaka and Twitter International Company (One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland) are the joint Controllers of the users' personal data. The types of data and the scope of its processing as well as the privacy policy and users' rights are specified in detail:
- in this document,
- in the "Twitter Privacy Policy" document, published on the Twitter website at: https://twitter.com/en/privacy,
- in the "Twitter Controller-to-Controller Data Protection Addendum” document, published on the Twitter website at: https://gdpr.twitter.com/en/controller-to-controller-transfers.html.
- The responsibility to notify the users of the Twitter products and services of the processing of data for the purposes of page insights and to allow them to exercise their rights in accordance with the GDPR is borne by Twitter (information about the data used to create the page insights was made available on the Twitter website at: https://twitter.com/en/privacy).
- The Twitter Data Protection Officer can be contacted via email address: dpo@twitter.com.
IF YOU VISIT THE ITAKA'S YOUTUBE CHANNEL
- Nowa Itaka sp. z o.o. is the Controller of personal data of users using the products and services offered by Google through YouTube, who visit the Controller's page, available at: https://www.youtube.com/c/itaka (Channel). As the Controller, Nowa Itaka sp. z o.o. is responsible for the security of the personal data transferred and for their processing in accordance with the provisions of the law.
- The Controller processes personal data of users who, using YouTube products and services, visit the Channel. These data is processed:
- in connection with the operation of the Channel, including the promotion of the Controller's own brand (legal basis – Art. 6(1)(f) of the GDPR) – "legitimate interest";
- for the purpose of answering the questions asked via YouTube or other services offered by Google (legal basis – Art. 6(1)(f) of the GDPR) – "legitimate interest"; in the case of provision of special categories of data (e.g. health information), the user declares that they consent to their processing for the purpose of the proper handling of an application and an inquiry, including communication and answering questions (legal basis – Art. 9(2)(a) of the GDPR) – "consent".
- The Controller has the right to process:
- publicly available personal data (such as a username, profile picture, YouTube activity status), the content of comments and other information made publicly available by the user using YouTube products and services,
- personal data provided by the user visiting the Channel, including to collect the information made available in the user's profile and other content, comments, messages and notifications (e.g. photos, contact details, place of residence, information about interests or worldviews, etc.),
- other personal data provided by users in messages using YouTube or other Google services (including contact and health information, etc.) in order to respond to an inquiry or to process a contact request.
- The scope of the processing of personal data, the specific purposes and the rights and obligations of the user using YouTube products and services are directly governed by:
- YouTube rules and regulations (the document is available on the YouTube website at: https://www.youtube.com/intl/pl/about/policies/#community-guidelines) and
- Privacy & Terms (the document is available on Google at: https://policies.google.com/privacy) or
- provisions of law
- and are specified as a result of actions taken by the user on YouTube.
- The Controller has the right to process personal data for the period necessary to achieve the purposes specified above. Depending on the legal basis, this will be accordingly:
- the time until the objection is expressed (or the YouTube user account is deleted),
- the time until the consent is withdrawn (or the YouTube user account is deleted), The withdrawal of consent does not affect the lawfulness of data processing during the period in which the consent was valid.
- the time period required to process an inquiry sent by the user via YouTube or other Google services.
- The directory of recipients of the personal data processed by the Controller results primarily from the scope of products and services used by the YouTube user, but also from the user's consent or the provisions of law. Subject to all data security guarantees, the Controller may transfer the personal data of the user visiting the Channel – in addition to the persons authorized by the Controller – to other entities, including entities processing the data on behalf of the Controller, e.g. providers of technical services and entities providing consulting services (including law firms) and contractors providing services to the Controller on the basis of concluded agreements.
- The Controller shall not transfer personal data of the user using YouTube products and services to countries outside the European Economic Area (to countries other than EU countries and Iceland, Norway and Liechtenstein).
- The Controller may process personal data of users using YouTube products and services who visit the Channel in order to analyze their use of the Controller's website and related content (page insights) – where users' use of the Channel and related content triggers the creation of an event for page insights that involves the processing of personal data (legal basis – Art. 6(1)(f) of the GDPR) – “legitimate interest”.
- In the case of personal data processed for the purpose of page insights regarding the user's activity on the Channel (including following or unfollowing the Channel, recommending the Channel in a post or comment, liking a video, cancelling a like), Nowa Itaka and Google Ireland Limited (Gordon House, Barrow Street, Dublin, D04 E5W5, Dublin, Ireland) are the joint Controllers of the users' personal data. The types of data and the scope of its processing as well as the privacy policy and users' rights are specified in detail:
- in this document,
- in the “Privacy & Terms” document, published on Google at: https://policies.google.com/privacy, or
- The responsibility to notify the users of the YouTube products and services of the processing of data for the purposes of page insights and to allow them to exercise their rights in accordance with the GDPR is borne by YouTube (information about the data used to create the page insights was made available on Google at: https://policies.google.com/privacy).
- The Google Data Protection Officer can be contacted via email address: data-protection-office@google.com.
DATA COLLECTED AUTOMATICALLY
- The Controller collects the information obtained automatically (so-called event logs).
- The event logs record data concerning sessions of users visiting the Website and using the services provided as part of the Website and the mobile app (in particular: IP address, date and time of visits, information about the Internet browser and operating system). This data is not associated with specific individuals.
- Access to the contents of the event logs is granted to persons authorized by the Controller.
- The chronological record of information about events is only auxiliary material, used for administrative purposes. The analysis of event logs makes it possible, in particular, to detect threats, ensure appropriate security, and perform statistics in order to better understand the way users use the website and the mobile app.
- The data indicated in section 2 above are used to diagnose problems related to the functioning of the Website and the App and to analyze possible security breaches, to manage the Website and the App and to generate statistics (legal basis – Art. 6 sec. 1 let. f of the GDPR) – “legitimate interest”.
- The website uses cookies for its operation. For more information, see the "COOKIES POLICY".
FINAL PROVISIONS
- The Controller shall secure the personal data processed by them in accordance with generally applicable regulations concerning personal data protection and security of information.
- This Privacy Policy is for informational purposes only and applies only to the website www.itaka.pl and mobile application. The Website and the mobile application may feature links to other websites (including websites of partners and other external entities cooperating with the Controller). The Controller suggests that each user, after accessing other websites, should read the privacy policy applicable there.
- The Controller reserves the right to introduce changes to the applicable Privacy Policy in case of technology development, changes in generally applicable legal regulations, including personal data protection and in case of the development of the Website.
- The Controller will notify the users about any relevant changes in the content of the privacy policy by publishing an announcement on the Website.