Privacy policy

§1. Information about the Administrator

1. The owner of the website and the Administrator of all Personal Data provided to us by you is Karta Pobytu Sp. z o. o., NIP 5273074709, KRS 0001057395, based in Warsaw (registered office address and correspondence address: ul. Grzybowska 87, 00-844 Warsaw) (hereinafter referred to as: Administrator or Service Provider).

§2. Information obligations of the Administrator

1. The provisions in this Privacy Policy exhaust the information obligations of Karta Pobytu Sp. z o. o. arising from Art. 13 of the General Regulation on the Protection of Personal Data of April 26, 2016 (OJ EU L 2016, No. 119, hereinafter referred to as: GDPR).

2. The Administrator declares that he has made every effort to fulfill these obligations while maintaining the criteria of transparent information and communication referred to in Art. 12 GDPR.

3. In case of any ambiguities, each data subject may request additional information at the e-mail address provided for contacts in matters of personal data processing.

§3. Contact details regarding the processing of personal data.

1. The Administrator representing the Service Provider has appointed a Data Protection Inspector, whose e-mail address: iod@kartapobytu.pl is the contact address for reporting all matters related to the processing of your personal data.

§4. General provisions

1. The Service Provider takes special care to protect the rights and freedoms of data subjects, and in particular ensures that the data is:

a) processed lawfully, fairly and transparently,

b) collected for specific, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes,

c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed,

d) correct and updated if necessary,

e) stored in a form enabling identification of the data subject for a period no longer than necessary to achieve the purposes for which they are processed,

f) processed in a way that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organizational measures.

2. As part of the measures listed in point 1 letter f) above, the Administrator has implemented, among others: the following security measures: firewalls, data encryption, physical access controls to data centers and information access authorization controls.

3. The Service User’s personal data are processed in accordance with the Regulation (EU) No. 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/ EC (General Data Protection Regulation; hereinafter: GDPR) (OJ EU L 119 of 4/05/2016), the Act of May 10, 2018 on the protection of personal data and the Act of July 18, 2002 on the provision of services by electronic means (i.e. Journal of Laws of 2017, item 1219).

§5. Purpose, basis and scope of personal data processing.

1. Each time, the purpose, basis and scope as well as the recipients of the data processed by the Service Provider result from the activities entrusted to the Service Provider by the Client.

2. Possible purposes for collecting your personal data:

a. Conclusion and implementation of the contract for the use of the Karta Pobytu website, including user support and communication with the website user in connection with the service provided, payment processing; basis for processing: art. 6 section 1 letter b) GDPR (processing is necessary to perform the contract);

3. Personal data provided may be processed for the purposes of:

a) achieving the purpose of concluded cooperation agreements (Article 6(1)(b) of the GDPR),

b) implementation of recruitment procedures, including legalization of stay and work based on consent (Article 6(1)(a) of the GDPR),

c) related to the pursuit of possible claims and compensation (Article 6(1)(f) of the GDPR),

d) responding to your letters, requests and complaints (Article 6(1)(d) of the GDPR).

e) verifying identity in order to prevent prohibited activities, in particular actions to the detriment of the Data Administrator and third parties; basis for processing: art. 6 section 1 letter f) GDPR (processing is necessary for the purposes of legally justified interests pursued by the data controller or by a third party);

4. Scope of processed personal data. Personal data of the account holder and data related to the user’s use of the website services via this account: name, surname, passport details, residential address, travel details, details of family members residing in Poland, confirmation of qualifications, e-mail address, number phone, declaration settings; b. Personal data of system users and data related to the use of website services by these users through their accounts – name and surname, role and scope of rights, e-mail address, telephone number;

5. Complaint proceedings related to the Electronic Service provided or performed; basis for processing: art. 6 section 1 letter b) GDPR;

a. Scope of personal data processed: name and surname of the person submitting the complaint, contact details (mailing address, e-mail address, telephone number), reason and data about the subject of the complaint.

6. Pursuing claims due to the Service Provider (receivable debt collection); basis for processing: art. 6 section 1 letter c) GDPR (processing is necessary for the purposes of legally justified interests pursued by the data controller);

7. Ensuring the security of the website and the protection of its customers’ data – basis for processing: Art. 6 section 1 letter f) GDPR (processing is necessary for the purposes of legally justified interests pursued by the data controller or by a third party).

§6. Sharing personal information.

1. Personal data may be transferred in justified cases and with your consent.

2. Data of indebted persons may be transferred as part of the claims recovery process to external debt collection companies, law firms, common courts and arbitration institutions.

3. In addition, we would like to inform you that in cases described in separate legal provisions and in accordance with the procedure indicated in these provisions, personal data may be transferred to authorized state administration bodies.

4. Personal data may also be disclosed for the purposes of audits, compliance with regulations and corporate governance.

5. The Administrator declares that in each case, the provision or transfer of personal data for processing is based on an agreement entrusting the processing of personal data or a legal obligation.

§7. Personal data processing periods (data retention)

1. Your personal data may be stored:

a. Personal data assigned to the User’s account on the website – for the entire duration of the account’s activity, and for a period of 10 years after the expiration of the account in archival form (in accordance with the provisions of the Civil Code regarding the limitation of claims). b. Personal data necessary to pursue claims by the Administrator or third parties – until such data is useful in the ongoing proceedings or until other legally permissible activities related to the pursuit of claims are completed.

§8. Rights of the person whose data is processed by the Administrator

1. Each person whose data is processed by the Administrator is entitled to:

a. the right to access your personal data, rectification, deletion, limitation of processing, the right to object, and the right to transfer data in the cases specified in the provisions of the GDPR;

b. the right to withdraw consent at any time without affecting the lawfulness of the processing carried out on the basis of consent before its withdrawal (applies in particular to data processing for marketing purposes),

c. the right to object to the processing of personal data at any time – for reasons related to the special situation of the data subject, as well as the right to object to the processing of data for direct marketing purposes,

d. the right to lodge a complaint with the Supervisory Authority (President of the Personal Data Protection Office, address: ul. Stawki 2, 00-193 Warsaw) if the data subject considers that the processing of data by the Administrator violates the provisions of the GDPR.

§9. Possibility to choose regarding the personal data collected by the Administrator.

1. Providing personal data when using the Service Provider’s services is voluntary, but failure to provide this data will prevent the Service Provider from providing the services.

2. Providing personal data for marketing purposes is voluntary, but failure to provide this data results in the inability to receive a personalized offer of services offered by the Data Administrator and its business partners.

§10. Cookies and operational data

1. Cookies are small text information in the form of text files, sent by the server and saved on the side of the person visiting the Service Provider’s website (e.g. on the hard drive of a computer, laptop or on a smartphone’s memory card – depending on what device the visitor uses). ). The Service Provider may process data contained in Cookies when visitors use the Service Provider’s websites for the following purposes:

2. Implementation of basic functionalities of the website, such as identifying Service Users as logged in and maintaining login sessions, storing dynamic data, e.g. settings, selected list items, filter history;

3. Adapting the content of the website pages to the individual preferences of the Service User (e.g. regarding the website language);

4. Remembering IP location, time zone;

5. Keeping anonymous statistics showing how the website pages are used.

§11. Final Provisions

1. The Service Provider’s websites and websites may contain links to other websites, the privacy policies of which should be read individually.

2. This privacy policy applies only to the Service Provider’s Websites.