Privacy policy
System Rowerów Miejskich w Pszczynie oraz Gminie Goczałkowice – Zdrój (SRM System) Privacy Policy is targeted at familiarizing users of the SRM System with information required by Art. 13 and 14 of GDPR with regards to the processing of their data as part of the SRM System.
I. DEFINITIONS
1. Data Controller – Nextbike Polska S.A. w restrukturyzacji with its seat in Warsaw at ul. Przasnyska 6b, 01- 756 Warszawa.
2. Mobile Application – mobile application available on mobile phones and portable devices, offered by the Data Controller on devices with an installed Android and iOS system.
3. Personal Data – information about a natural person identified or possible to be identified by one or more unique factors identifying physical, physiological, genetic, metal, economic, cultural or social identity, including device IP address, location data, internet identifier and information collected by means of cookie files as well as by other similar technologies.
4. Nextbike Group – companies belonging to the Nextbike Group in the meaning of Art. 4 point 14 of the Act of 16 February 2007 on protection of competition and consumers.
5. Client – any natural person, participant of the Bike System, who has accepted the Terms of Service and carried out registration in the Bike System, thus concluding Agreement with the Operator.
6. Policy – hereby Privacy Policy.
7. Terms of Service – rules defining the principles and conditions of using the Bike System, in particular, the scope of rights and obligations and the responsibility of persons who avail of the possibility of using the Bike System managed by Data Controller. Terms of Service may be found at https://pszczynskirower.pl/en/rules/.
8. GDPR – Regulation of the European Parliament and Council (EC) 2016/679 from 27 April 2016 on protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC
9. Service – online service available at www.pszczynskirower.pl or by means of the Mobile Application through which the Data Controller provides services to Users via electronic means, in particular, the service of bike rentals.
10. Bike System – the service of SRM, realized according to the principles specified in the Terms of Service.
11. Agreement – agreement between the Client and the Data Controller via the Service which establishes mutual rights and obligations specified in the hereby Terms of Service.
12. User – each natural person visiting the Service or using one or several services or functionalities specified in the Policy.
13. Trusted Partner – entity with which the Data Controller cooperates, whose marketing content is directed by the Controller to Clients and Users.
II. PROCESSING OF DATA IN RELATION TO THE USE OF THE SERVICE
1. In relation to the use of Service by Users, Data Controller gathers data in the scope necessary for the provision of individual offered services as well as data concerning User activities in the Service. Detailed principles and goals of the processing of personal data gathered in the course of using the Service by its Users have been outlined in detail below.
III. GOALS AND LEGAL BASIS FOR THE PROCESSING OF DATA IN THE SERVICE THE USE OF THE SERVICE
1. Personal data of all persons using the Service (including IP address or other identifiers and information gathered by means of cookies files or other similar technologies) who are not registered Users (that is who do not have a set-up profile in the Service) are processed by the Data Controller:
a. for the purpose of provision of service via electronic means in the scope of disclosing to Users of content gathered in the Service – in such a case the legal basis for the processing is the necessity to process data in order to execute the agreement (Art. 6 sec. 1 letter b of GDPR);
b. for analytical and statistical purposes – whereas the legal basis for the processing is the legally justified interest of the Data Controller (Art. 6 sec. 1 letter f of GDPR); consisting of the conduct of analyses of Users’ activities as well as their preferences for the purpose of improving applicable functionalities and services provided;
c. for the purpose of potential establishing and pursuing claims or defending against claims – the legal basis of the processing is a legally justified interest of the Data Controller (Art. 6 sec. 1 letter f of GDPR), constituting protection of his rights;
d. for marketing purposes of the Data Controller and other entities – the principles of processing personal data for marketing purposes have been specified in the MARKETING section.
2. User activities in the Service, including their personal data are registered in system logs (special computer software targeted at storing chronological records containing information about events and actions that concern the IT system for the provision of Data Controller’s services). Information gathered in the logs are, above all, processed for the purposes related to service provision. Data Controller processes them also for technical, administrative purposes in order to ensure safety of the IT system and managing this system as well as for analytical and statistical purposes – in this scope the legal basis of processing is a legally justified interest of the Data Controller (Art. 6 sec. 1 letter f of GDPR).
REGISTRATION IN THE SRM
1. Persons who conduct registration in the Bike System are asked to enter data necessary for the processing and maintaining their account which is managed by the Data Controller. Such data may be removed at any point in time. Indication of data marked as obligatory is required for the purpose of setting up and maintaining the account and their non-indication results in lack of possibility to set up the account. Entering other data is voluntary.
2. Personal data of clients are processed for the purpose of:
a. Concluding and executing the Agreement according to the principles specified in the Terms of Service of the SRM with regards to natural persons acting in their own name pursuant to Art. 6 sec. 1 letter b of GDPR as processing of personal data is necessary in order to conclude and execute this Agreement according to the principles specified in the Terms of Service of the SRM.
b. Realization of obligations stemming from the provisions of law applicable to the Data Controller’s activity – pursuant to Art. 6 sec. 1 letter c of GDPR, that is, fulfilment of legal obligations with which the Data Controller is burdened, including those resulting from accounting, tax provisions or other special regulations.
c. Archiving – pursuant to Art. 6 sec. 1 letter f of GDPR, that is, our legally justified interest which is the necessity to store evidence of conducted business.
d. Protection, establishing and pursuing claims – on the basis of Art. 6 sec. 1 letter f of GDPR.
e. Marketing own products and services further to sending commercial information concerning products, services, promotional offers and events – pursuant to Art. 6 sec. 1 letter f of GDPR, that is, consent of the person who is the data subject if such consent was granted.
f. Ensuring safety of assets (equipment used as part of service provision) – pursuant to Art. 6 sec. 1 letter f of GDPR, that is, justified interest of Nextbike Polska S.A. w restrukturyzacji which is the possibility to ensure safety of offered equipment through gathering information allowing to locate the bike.
g. Conducting analyses and statistics – legal basis of processing its legally justified interest of the Data Controller (Art. 6 sec. 1 letter f of GDPR), consisting of conducting analysis of activities of Users in the Service and the manner of using the account as well as User preferences in order to improve applicable functionalities;
2. If the User places any personal data of other persons on the Service (including first name and surname, address, telephone number or email address) he may do so solely under the condition of not breaching the provisions of law and personal goods of these persons.
CONTACT FORMS
1. Data Controller ensures the possibility of contacting them with the use of electronic contact forms. The use of the form requires entering Personal Data necessary in order to establish contact with the User and grant answers to the enquiry. The User may indicate also other data in order to facilitate contact or handling enquiries. Indication of data marked as obligatory is required for the purpose of accepting and handling enquiries and their non-indication results in lack of possibility of providing a service. Entering other data is voluntary.
2. Personal data are processed:
a. Handling demands or granting replies to questions submitted by means of the contact form – pursuant to Art. 6 sec. 1 letter f of GDPR, that is, legally justified interest of the Data Controller; legally justified interest of Data Controller is enabling handling of demands and granting replies to questions asked, in particular, by person interested in obtaining the services;
b. Monitoring and improving the quality of services, including service provided for clients – pursuant to Art. 6 sec. 1 letter f of GDPR, that is legally justified interest of the Data Controller; enabling increase in the quality of services constitutes a legally justified interest of the Data Controller.
IV. SOCIAL MEDIA PORTALS
1. Data Controller processes Personal Data of Users visiting profiles of the Controller, maintained in social media – Facebook). Such data are processed solely in relation to maintaining a profile, including for the purpose of informing Users of Data Controller activities and promoting various types of events, services and products. Legal basis of personal data processing by the Data Controller for this purpose is his legally justified interest (Art. 6 sec. 1 letter f of GDPR),
V. COOKIES FILES AND THE SIMILAR TECHNOLOGY
1. Cookies files are small text files installed on User’s device browsing the Service. Cookies gather data that facilitate the use of the website – i.e. through remembering visits of the User in the Service and actions carried out by him.
“SERVICE” COOKIES
1. Data Controller uses the so-called service cookies, above all, in order to provide the User with services via electronic means and to improve the quality of such services. In this regard, Data Controller and other entities providing analytical and statistical services for him use cookies files, storing information or obtaining access to information already stored on the telecommunication end device of the User (computer, telephone, tablet etc.). Cookies files used for this purpose cover:
a. cookies files with data entered by the User (session identifier) for the duration of the session (user input cookies);
b. authentication cookies used for services that require authentication for the duration of the session;
c. user centric security cookies for ensuring safety, i.e. Used for detection of abuses in the scope of authentication;
d. multimedia player session cookies (i.e. Cookies files in flash player) for the duration of the session;
e. user interface customization cookies targeted at personalization of User interface for the duration of the session or slightly longer.
“MARKETING” COOKIES
1. Data Controller and its trusted partners also use cookies files for marketing purposes, among others, in relation to directing behavioural advertisements towards Users. For this purpose Data Controller and its trusted partners store information or obtain access to information already stored in the telecommunication User end device (computer, telephone, tablet etc.). List of trusted partners is available in Transparency Policy.
VI. ANALYTICAL AND MARKETING TOOLS APPLIED BY DATA CONTROLLER AND DATA CONTROLLER’S PARTNERS
1. Data Controller and its Partners apply various solutions and tools used for analytical and marketing purposes. Basic information concerning these tools may be found below. Detailed information in this regard may be found in the Privacy Policy of a given partner.
GOOGLE ANALYTICS
1. Google Analytics cookies files are files used by the Google company in order to analyse the manner of using the Service by the User in order to create statistics and reports concerning the Service operations. Google does not use the gathered data for identification of Users, nor does it combine these information in order to enable identification. Detailed information concerning the scope and the principles of collecting data in relation to this service may be found at: https://www.google.com/intl/pl/policies/privacy/partners.
GOOGLE ADWORDS
1. GOOGLE ADWORDS is a tool that enables measuring efficiency of advertising campaigns realized by Data Controller, allowing to analyse such data as keywords or number of unique users. The Google AdWords platform also allows to display our advertisements to persons who visited the Service in the past. Information concerning the processing of data by Google in the scope of the above service may be found at: https://policies.google.com/technologies/ads?hl=pl.
FACEBOOK PIXELS
1. Facebook pixels is a tool that enables measuring the effectiveness of advertising campaigns realized by the Data Controller on Facebook. The tool allows for an advanced analysis of data in order to optimize Data Controller’s actions also with the use of other tools offered by Facebook. Detailed information concerning data processing by Facebook may be found at: https://pl-pl.facebook.com/help/443357099140264?helpref=about_content.
SOCIAL MEDIA PLUG-INS
1. Social media plug-ins are used by the Service (Facebook, Google+, LinkedIn, Twitter). The plug-ins enable the User to place the content published in the Service on selected social media portals. Applying plug-ins in the Service causes that the given social media service obtains information about the use of the Service by the User and thus may assign them to that User’s profile created in a given social media portal. Data Controller does not possess the knowledge on the goal and scope of gathering data by social media portals. Detailed information concerning this topic may be found under the below links:
a. Facebook: https://www.facebook.com/policy.php
b. Google: https://privacy.google.com/take-control.html?categories_activeEl=sign-in
c. LinkedIn: https://www.linkedin.com/legal/privacy-policy?_l=pl_PL
d. Twitter: https://twitter.com/en/privacy
VI. MANAGING COOKIES SETTINGS
1. The use of cookies files in order to gather them by means of data, including obtaining access to data saved on the User’s device requires obtaining the User’s consent. Such consent may be withdrawn at any point in time.
2. Permission is not required solely in case of cookies files the use of which is necessary in order to provide telecommunication services (data transmission in order to display content).
3. Withdrawal of a consent for the use of cookies files is possible by means of browser settings. Detailed information concerning this topic may be found under the below links:
a. Internet Explorer: https://support.microsoft.com/pl-pl/help/17442/windows-internet-explorer-delete-manage-cookies
b. Mozilla Firefox: http://support.mozilla.org/pl/kb/ciasteczka
c. Google Chrome: http://support.google.com/chrome/bin/answer.py?hl=pl&answer=95647
d. Opera: http://help.opera.com/Windows/12.10/pl/cookies.html
e. Safari: https://support.apple.com/kb/PH5042?locale=en-GB
4. The User may at any point in time verify the status of his current privacy settings assigned to the browser they use through the tools available under the below links:
a. http://www.youronlinechoices.com/pl/twojewybory
b. http://optout.aboutads.info/?c=2&lang=EN
VIII. Period PROCESS PERSONAL DATA
1. The period of data processing by Data Controller depends on the type of service provided and the goal of processing. As a rule, data are processed throughout the duration of service provision or order realization, execution of the legal obligation or until withdrawal of expressed consent or submission of effective objection against data processing in cases when the legal basis for processing of data is the legally justified interest of the Data Controller.
2. The period of data processing may be extended in case when the processing is necessary in order to establish and pursue potential claims or in order to protect oneself against claims and after such time solely in the case and scope in which the provisions of law shall require it. After the expiry of the period of data processing, their irrevocable removal or anonymization is obligatory.
IX. USER’S ENTITLEMENTS
1. The User shall be entitled to the right to access the content of data and demand their amendment, removal, limiting their processing, right to transfer data and submit an objection towards data processing as well as the right to submit complaints to the supervisory body dealing with the protection of personal data.
2. In the scope in which User data are processed on the basis of the consent such a consent may be withdrawn at any point in time through contact with the Data Controller.
3. The User is entitled to submitting an objection against data processing for marketing purposes should such processing occur in relation to the legally justified interest of the Data Controller as well as – due to causes related to a specific situation of the User – in other cases when the legal basis for data processing is the legally justified interest of the Data Controller (i.e. in relation to the realization of analytical and statistical goals).
4. More information concerning entitlements stemming from GDPR may be found in the Transparency Policy.
X. DATA RECIPIENTS AND TRANSFER OUTSIDE OF EEA
1. The anticipated recipients of personal data include: companies providing IT support to the data controller, suppliers of electronic post services and other IT services, post operators/couriers, entities servicing electronic payments; consulting companies with which the data controller cooperates, entities supporting marketing actions of the data controller, entities authorized to obtain personal data pursuant to actions at the order of the data controller or which provide services/goods to the data controller necessary to conduct its business as well as companies from the Nextbike groups.
2. At a certain stage, the transfer of personal data to third countries (outside of EEA) may be conducted. Data Controller conducts it on the basis of standard protection clauses (Art. 46, sec. 2 GDPR) and – if this is required – applies additional guarantees of protection of personal data in accordance with the standards in place in this regard or ensures another mechanism which complies with law and legalizes such a transfer to third states.
XI. CONTACT DETAILS
1. Contact with the data controller is possible via e-mail at [email protected], contact form at www.nextbike.pl, telephone at 22 208 99 90 or by letter to the address of the Nextbike Polska S.A. w restrukturyzacji seat.
2. Data Controller appointed Data Protection Inspector with which one may contact via e-mail at [email protected] concerning any matter related to personal data processing by the data controller.
XII. CHANGES IN THE PRIVACY POLICY
1. The policy is verified on an ongoing basis and updated if necessary.
2. The current version of the Policy was adopted and is binding as at 30.04.2024.
(Previous version)
1. Definitions
1.1. Controller – Nextbike Polska S.A. with its registered seat in Warsaw, ul. Przasnyska 6b, 01-756 Warsaw.
1.2. Mobile Application – mobile application available on mobile phones and portable devices, offered by the Controller for devices operating within Android and iOS systems.
1.3. Personal data – all information about a natural person identified or identifiable by one or more specific factors determining a physical, physiological, genetic, psychological, economic, cultural or social identity, including IP of device, location data, internet identifier, information collected via cookies files and by means of another similar technology.
1.4. Nextbike Group – companies belonging to the Nextbike group in the meaning of art. 4 point 14 of the Act of 16 February 2007 on protection of competition and consumers.
1.5. Client – natural person, participant of the Bike System who has accepted Terms of Service and carried out registration in the Bike System as well as concluded Agreement with the Operator.
1.6. Operator – entity realizing services related to maintenance of the Bike System.
1.7. Policy – hereby Privacy Policy.
1.8. Terms of Service – document specifying the principles and conditions of use of the Bike System, in particular in the scope of the rights and obligations and the responsibility of persons availing of the services of the Bike System, the Operator of which is the Controller. Terms of Service shall be available at the following address www.pszczynskirower.pl/en/rules
1.9. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
1.10. Service – internet service located at the address www.pszczynskirower.pl or available by means of Mobile Application through which the Controller provides services electronically to Users, in particular, the service consisting of facilitating the conduct of bike rentals.
1.11. Bike System – Service System Rowerów Miejskich w Pszczynie oraz Gminie Goczałkowice – Zdrój System realized according to the principles specified within the Terms of Service.
1.12. Act – Act from 10 May 2018 on Personal Data Protection (Journal of Laws from 2018, item 1000).
1.13. User – each natural person visiting the Service or availing of one of several services or functionalities, specified in the hereby Policy.
1.14. Trusted Partner – entity cooperating with the Controller, whose marketing contents are directed by the Controller towards Clients and Users.
2. Processing of data in relation to the use of the Service
2.1. In relation to the use by the User of the Service, the Controller gathers data in the scope necessary for the provision of individual offered services as well as information on User activity in the Service. Detailed principles and purposes of the processing of Personal Data gathered during the use of Services by the User have been specified below.
3. Purposes and legal bases for the processing of data in the Service
USE OF SERVICE
3.1. Personal data of all persons availing of the Service (including the IP address or other identifiers and information stored by means of the cookies files or other similar technologies), which are not registered Users (that is persons who do not have a set up profile within the Service), are processed by the Controller:
3.1.1. in order to provide services electronically in the scope of making available to users the contents collected on the website – in such case the legal basis for processing is the necessity of processing in order to implement the agreement (article 6, paragraph 1(b) of the GDPR);
3.1.2. for analytical and statistical purposes – in such case the legal basis for processing is the justified interest of the Controller (article 6, paragraph 1(f) of the GDPR), consisting of conducting the analysis of users’ activity, as well as their preferences in order to improve the used functionalities and provided services;
3.1.3. in order to possibly determine and pursue claims or defend against them – the legal basis for the processing is justified interest of the Controller (article 6, paragraph 1(f) of GDPR), consisting of the protection of its rights;
3.1.4. for marketing purposes of the Controller and other entities – rules for the processing of personal data for marketing purposes have been described in the “Marketing” section.
3.2. The User’s activities in the Service, including their Personal data, are recorded in system logs (special computer programme intended for the storing of chronological record containing information about events and activities concerning the IT system used to provide services by the Controller). Information collected in the logs are processed mainly for the purposes associated with the provision of services. The Controller also processes them for technical and administrative purposes, in order to ensure the security of the IT system, as well as management of this system, and also for analytical and statistical purposes – in this scope the legal basis for processing is the legally justified interest of the Controller (article 6, paragraph 1(f) of the GDPR).
REGISTRATION IN THE SYSTEM ROWERÓW MIEJSKICH W PSZCZYNIE ORAZ GMINIE GOCZAŁMOWICE-ZDRÓJ SYSTEM
3.3. Persons who carry out registration in the Bike System are asked to indicate data necessary for the creation and servicing of their account, which is administered by the Operator. Such data may be deleted at any time. Providing data marked as obligatory is required in order to set up and maintain the account, and failure to provide such data results in a lack of the possibility to set up such an account. Indication of the remaining data is voluntary.
3.4. Personal data are processed:
3.4.1. for the purpose of providing services related to the maintenance and servicing of an account within the Bike System – legal basis for the processing is the necessity to process data for the execution of agreement (art. 6 sec. 1 letter b of GDPR);
3.4.2. fulfilling public-legal obligations resting on the Controller, above all, those stemming from the accounting provisions and tax provisions – the legal basis for the processing will be the necessity to fulfil legal obligations resting on the Controller (art. 6 sec. 1 letter c of GDPR);
3.4.3. for analytical and statistical purposes – legal basis for the processing shall be the legally justified interest of the Controller (art. 6 sec. 1 letter f of GDPR), consisting of the conduct of analyses of User activities in the Service and the way the accounts are used, as well as User preferences for the purpose of improving the applied functionalities;
3.4.4. ensuring the possibility of monitoring the locations at which bikes are rented or to which they are returned to in the Bike System or verification by means of GPS system where a given bike is located in case of lack of its return – legal basis for the processing shall be the legally justified interest of the Controller (art. 6 sec. 1 letter f of GDPR); legally justified interest of the Controller is the protection of material interest through gathering information which enable locating a given bike;
3.4.5. in order to possibly determine and pursue claims or defend against them – the legal basis for processing is the justified interest of the Controller (art. 6 sec. 1 letter f of GDPR) consisting of the protection of its rights;
3.4.6. for marketing purposes of the Controller and other entities – rules for the processing of Personal data for marketing purposes have been described in the MARKETING section.
3.5. If a User places any sort of Personal data of other persons in the Service (including their first name, surname, address, telephone number or email address), they may do so solely under the condition of abiding by the provisions of the law and the rights of publicity to which these persons are entitled.
CONTACT FORMS
3.6. The Controller provides the possibility of contacting him with the use of electronic contact forms. Using the form requires providing Personal data, necessary for establishing contact between the User and for replying to the inquiry. The User may also provide other data in order to facilitate contact or enable handling of the inquiry. Providing data marked as obligatory is required in order to receive and handle the inquiry, and failure to provide such data results in the lack of possibility to handle such inquiry. Indication of the remaining data is voluntary.
3.7. Personal data are processed:
3.7.1. for the purpose of identifying the sender and handling their submitted inquiry by means of the available form – the legal basis for the processing shall be the necessity of processing for the execution of agreement on provision of service (art. 6 sec. 1 letter b of GDPR); in the scope of data indicated voluntarily the legal basis for their processing shall be the consent (art. 6 sec. 1 letter a of GDPR)
3.7.2. for analytical and statistical purposes – the legal basis for the processing shall be the legally justified interest of the Controller (art. 6 sec. 1 letter f of GDPR), consisting of the maintenance of statistics of inquiries submitted by Users by means of the Service for the purpose of improving its functionality.
4. Marketing
4.1. The Controller processes Personal Data of Users for the purpose of realizing marketing actions which consist of carrying out actions related to the direct marketing of goods and services (sending commercial information electronically and telemarketing actions).
4.2. Personal data of Users may be used by the Controller in order to direct at them marketing content of entities from Nextbike Group as well as entities cooperating with the Controller on various channels, such as by means of an electronic post, including in the form of a newsletter, via text and MMS messages or via telephone. Such actions shall be undertaken by the Controller solely in case when the User has expressed consent which may be withdrawn by them at any time.
4.3. The list of entities forming part of the Nextbike Group and entities cooperating with the Controller may be found in section “NEXTBIKE Group and entities cooperating with the Controller” of our Policy of Transparency.
4.4. In order to realize marketing actions the Controller uses profiling in certain cases. This means that thanks to automated processing of data, the Controller performs an assessment of the selected factors concerning the Users in order to analyse their behaviours or create prognosis for the future. This allows for a better adjustment of the displayed content to the individual preferences and interests of Users.
5. SOCIAL MEDIA
5.1. The Controller processes Personal data of the Users visiting the Controller’s profile accounts in the social media (Facebook, YouTube, Instagram, Twitter). Such data are processed only in connection with the running of a given profile, including to inform Users about the activity of the Controller and to promote various types of events, services and products. The legal basis for the processing of Personal data by the Controller for this purpose is his justified interest (article 6, sec. 1, letter f of GDPR), consisting of promoting his own brand.
6. COOKIES FILES AND SIMILAR TECHNOLOGY
6.1. Cookies are small text files installed on a device of User browsing the website. Cookies collect information that facilitate the use of a given website – e.g. through memorizing User’s visits in the Service and the activities carried out by them.
“SERVICE” COOKIES
6.2. The Controller uses the so called service cookies mainly to provide the User with services ensured via electronic means and to improve the quality of these services. Thus, the Controller and other entities providing on its behalf analytical and statistical services use cookies by storing information or getting access to information already stored in User’s telecommunications end device (computer, telephone, tablet, etc.). Cookies files used for this purpose cover:
6.2.1. cookies files with data entered by a given User (session identifier) for the duration of a given session (user input cookies);
6.2.2. authentication cookies used for services requiring authentication for the duration of a given session (authentication cookies);
6.2.3. cookies used to ensure security, e.g. used to detect abuses in the scope of authentication (user centric security cookies);
6.2.4. session cookies for multimedia players (e.g. flash player cookies), for the duration of a given session (multimedia player session cookies);
6.2.5. permanent cookies used to personalize User interface for the duration of a given session or a little longer (user interface customization cookies).
“MARKETING” COOKIES
6.3. The Controller and its trusted partners also apply cookies files for marketing purposes, such as pursuant to directing behavioural advertising towards Users. For this purpose, the Controller and its trusted partners store information or obtain access to information already stored in an end telecommunication device of a given User (computer, telephone, tablet etc.)
7. Location data
7.1. The Controller processes personal data of Clients in the scope of location for the purpose of ensuring the possibility of control of location at which bikes were rented or to which they were returned within the Bike System with the use of GPS system or verification, where a bike is located in case of lack of its return – legal basis for the processing will be the legally justified interest of the Controller (art. 6 sec. 1 letter f of GDPR); legally justified interest of the Controller is the protection of material interest through gathering information which enable locating a bike,
8. Analitical and marketing tools applied by the CONTROLLER and its partners
8.1. The Controller and its Partners apply various solutions and tools used for analytical and marketing purposes. Some basic information regarding these tools have been presented below. Detailed information in the scope may be found in the privacy policy of a given partner.
GOOGLE ANALYTICS
8.2. Google Analytics cookies are the files which are used by Google in order to analyse how a User uses the website, to generate statistics and reports regarding the functioning of the Service. Google does not use the collected data to identify Users and it does not combine these information in order to allow identification. Detailed information about the scope and rules of data collection in connection with this service may be found at: https://www.google.com/intl/pl/policies/privacy/partners.
GOOGLE ADWORDS
8.3. Google Adwords is a tool which enables the measurement of efficiency of advertising campaigns realized by the Controller, allowing to analyse such data as, for instance, keywords or number of unique users. Google Adwords platform also allows for a display of our advertisements to person who visited our Service in the past. Information on the processing of data by Google in the scope of the above specified service are available at: https://policies.google.com/technologies/ads?hl=pl.
FACEBOOK PIXELS
8.4. Facebook pixels is a tool which enables measurement of the efficiency of advertising campaigns realized by the Controller on Facebook. This tool allows for an advanced data analysis for the purpose of optimizing actions of the Controller also with the use of other tools offered by Facebook. Detailed information on the subject of data processing by Facebook may be found at:
https://pl-pl.facebook.com/help/443357099140264?helpref=about_content.
SOCIAL PLUG-INS
8.5. The Service uses plug-ins to social media portals (Facebook, Google+, LinkedIn, Twitter). Plug-ins allow Users to disclose the content published in the Service in the selected social media. Application of plug-ins by the Service causes that a given social media obtains information on the use of Service by a given User and such information may be assigned to the profile of a given User, created in that social media portal. The Controller does not possess any knowledge regarding the purpose and scope of data gathering by social media portals. Detailed information on this topic may be found at the following links:
8.5.1. Facebook: https://www.facebook.com/policy.php
8.5.2. Google: https://privacy.google.com/take-control.html?categories_activeEl=sign-in
8.5.3. LinkedIn: https://www.linkedin.com/legal/privacy-policy?_l=pl_PL
8.5.4. Twitter: https://twitter.com/en/privacy
9. Managing cookies settings
9.1. The use of cookies files for the purpose of gathering data through them, including obtaining access to data saved on User’s device, requires consent of that User. Such a consent may be withdrawn at any time.
9.2. No permission is required solely in case of cookies files the applying of which is necessary for the provision of telecommunication service (data transmission for the purpose of content display).
9.3. Withdrawal of consent for the use of cookies files is possible by means of one’s browser settings. Detailed information on this topic may be found at the following links:
9.3.1. Internet Explorer: https://support.microsoft.com/pl-pl/help/17442/windows-internet-explorer-delete-manage-cookies
9.3.2. Mozilla Firefox: http://support.mozilla.org/pl/kb/ciasteczka
9.3.3. Google Chrome: http://support.google.com/chrome/bin/answer.py?hl=pl&answer=95647
9.3.4. Opera: http://help.opera.com/Windows/12.10/pl/cookies.html
9.3.5. Safari: https://support.apple.com/kb/PH5042?locale=en-GB
9.4. The User may verify the status of their current privacy settings at any time with regards to the used browser, by means of the tools available at:
9.4.1. http://www.youronlinechoices.com/pl/twojewybory
9.4.2. http://optout.aboutads.info/?c=2&lang=EN
10. PERIOD OF THE PERSONAL DATA PROCESSING
10.1. The period of data processing by the Controller depends on the type of provided service and the purpose of processing. As a rule, data are processed for the period of provision of service or realization of order, until the time of withdrawal of the granted consent or submission of effective objection towards the processing of data in cases when the legal basis for the processing of data is the legally justified interest of the Controller.
10.2. The data processing period may be extended in case, when the processing is necessary to establish or pursue potential claims or defend against claims, and after this period – only in the case and to the extent that it will be required by the provisions of law. After expiry of the processing period, the data are irreversibly deleted or anonymised.
11. User authorizations
11.1. The User shall be entitled to access the content of data and demand their amendment, removal, limiting of their processing, the right to transfer data and the right to submit an objection towards their processing as well as the right to submit a complaint to the supervisory body dealing with personal data protection.
11.2. In the scope in which User data are processed pursuant to their consent, they may withdraw it at any time by contacting the Controller.
11.3. The User is entitled to submit an objection against the processing of data for marketing purposes should such processing occur pursuant to the legally justified interest of the Controller, as well as – due to reasons related to a particular situation of a given User – in other cases when the legal basis for the processing of data is the legally justified interest of the Controller (i.e. in relation to the realization of analytical and statistical purposes).
11.4. More information on the entitlements stemming from GDPR may be found within our Transparency Policy.
12. DATA RECIPIENTS
12.1. Pursuant to the realization of services, Personal data shall be disclosed to external entities, including in particular entities from Nextbike Group, entities cooperating with the Controller (the so called trusted partners), providers responsible for servicing IT systems, entities such as banks and payment operators, entities providing accounting services, marketing agencies (in the scope of marketing services).
12.2. In case of obtaining consent from a User, their data may also be disclosed to other entities for their own purposes, including marketing purposes.
12.3. The Controller reserves the right to disclose selected information regarding Users to competent authorities or third parties who will submit a request for providing such information in accordance with an appropriate legal basis and pursuant to the provisions of applicable law.
13. TRANSFER OF DATA OUTSIDE THE EEA
13.1. The level of personal data protection outside the European Economic Area (EEA) differs from that provided by the European law. Due to that fact, the Controller transfers personal data outside the EEA only when it’s necessary and subject to ensuring an adequate level of protection, mainly through:
13.1.1. cooperation with entities processing personal data in countries in regard to which an appropriate decision of the European Commission has been issued concerning ensuring adequate degree of personal data protection;
13.1.2. use of standard contractual clauses issued by the European Commission;
13.1.3. application of binding corporate rules approved by a competent supervisory authority;
13.1.4. in the case of data transfer to the USA – cooperation with entities participating in the Privacy Shield program, Approved by the European Commission.
14. SECURITY OF PERSONAL DATA
14.1. The Controller carries out on an ongoing basis market analysis for the purpose of ensuring that Personal data are processed by them in a safe manner – ensuring above all that access to data is granted solely to authorized persons and exclusively in the scope in which it is necessary, due to the tasks carried out by them. The Controller shall take steps to ensure that all operations on Personal data are registered and made solely by authorized employees and collaborators.
14.2. The Controller also undertakes all necessary actions to ensure that its subcontractors and other cooperating entities provide guarantee of using appropriate security measures in every case, when they process personal data on behalf of the Controller.
15. Contact data
15.1. The Controller may be contacted by means of the following e-mail address [email protected], via contact form at www.nextbike.pl , via telephone, at 22 208 99 90 or in writing at the address of the seat of Nextbike Polska S.A.
15.2. The Controller appointed Data Protection Officer, who may be contacted using the following
e-mail address: [email protected] regarding any matter concerning personal data processing.
16. Changes to the Privacy Policy
16.1. This policy is verified on an ongoing basis and it is updated if such a need occurs.
16.2. The current version of this Policy was adopted on 9 May 2020.