Information clause for Customers

The Personal Data Administrator’s information clause for Customers

1. 1. Malwina Jurczyk conducting business activity under the company "BK TURISMO MALWINA JURCZYK" with its headquarters at the address Wrocław 86/2 Mrągowska Street, 54-111, Wrocław post office, entered in the Central Register and Information on Economic Activity, Tax Identification Number: 6731840516, National Business Registry Number: 361397503 is the Personal Data Administrator (hereinafter referred to as the Administrator) of her customers with whom she has concluded a service agreement, and participants of loyalty programs, partnership programs or competitions organized by the Administrator, hereinafter referred to collectively as the Customers.
2. 2. Respecting the rights of the Customers as personal data subjects (data subjects) and respecting the laws in force, including in particular the Regulation of the European Parliament and Council (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing the Directive 95/46/EC (the General Data Protection Regulation) hereinafter referred to as the GDPR, the Act of 10 May 2018 on protection of personal data (Journal of Laws 2018.1000) hereinafter referred to as the Act, and other relevant regulations on personal data protection, the Administrator is committed to maintain the security and confidentiality of the personal data obtained from the Customers. All employees have been professionally trained in the processing of personal data, and the Personal Data Administrator implemented appropriate safeguards and also technical and organizational measures to ensure the highest level of personal data protection. The Administrator have procedures and Personal Data Protection Policies in accordance with the GDPR and the Act, which ensure the lawfulness and reliability of data processing, as well as the enforceability of any rights the Customers may have as data subjects. Additionally, if necessary, the Administrator cooperates with the supervisory authority in the Republic of Poland, which is the President of the Personal Data Protection Office (hereinafter referred to as UODO).
3. Customers' personal data are processed by the Administrator in order to:
   a) perform Agreements and provide services resulting from the legal relations between the Administrator and the Customers,
   b) perform the loyalty or partnership program run by the Administrator and take part in it by the Customers,
   c) perform competitions organized by the Administrator and take part in them by the Customers.
4. In accordance with the principle of minimization expressed in the GDPR regulations, the Administrator processes only those categories of personal data which are necessary to achieve the purposes referred to in the preceding sentence.
5. The provision of personal data is voluntary but necessary for the conclusion and execution of the Agreements concluded by the Administrator with the Customers, as well as for the Customers to take part in a loyalty program, a partner program or a competition organized by the Administrator and their full realization.
6. The Administrator shall process personal data for the period necessary to achieve the objectives set out in point 3 above. Personal data may be processed for a longer period than indicated in the preceding sentence, if such an entitlement or obligation imposed on the Administrator results from specific provisions of law or from the Administrator's legally justified interest referred to in point 7 letter c, below (for the limitation period for claims or the completion of relevant proceedings, if they have been initiated during limitation period).
7. The sources of personal data processed by the Administrator are Customers who are the data subjects. The Administrator may also process the data of her Customers’ employees on the basis of the access, if the agreement concluded with the Customer requires the necessity to act through them.
8. The legal basis for processing Clients’ personal data is:
   a) Article 6(1)(b) GDPR – necessity for the performance of an Agreement concluded between the Administrator and the Customer or in order to take steps at the request of the data subject prior to entering into an Agreement, or
   b) Article 6(1)(c) GDPR - necessity for compliance with a legal obligation to which the Administrator is subject, or
   c) Article 6(1)(f) GDPR - the legitimate interest of the Administrator to establish, pursue or defend claims for their limitation period or until the relevant proceedings, if any, have been instituted within that period, or
   d) Article 6(1)(a) GDPR – Customer’s consent to the processing of personal data for specific purposes when other laws for processing personal data do not apply.
9. Personal data are not transferred to a third country or an international organization within the meaning of the rules of GDPR. When personal data are transferred to a third country or an international organization, Customers will be informed in advance and the Administrator will apply safeguards referred to in Chapter V of the GDPR.
10. The Administrator does not make any personal data available to third parties without the explicit consent of the data subject. Personal data without the data subject’s consent may be disclosed only to public law bodies, which are authorities and administrative authorities (e. g. tax authorities, law enforcement agencies and other entities with a mandate under common law, such as the Polish Social Insurance Institution or the Inland Revenue).
11. Personal data may be entrusted for processing to Entities processing such data on behalf of the Administrator. In such a situation, the Administrator concludes an agreement with the Entity to entrust the processing of personal data. The Entity processing the entrusted personal data shall process the entrusted data but only for the needs to the extent and for the purposes indicated in the entrustment agreement referred to in the preceding sentence. Without entrusting personal data for processing, the Administrator could not conduct her business activity and execute concluded agreements. The Administrator entrusts personal data of the Customers’ to:
    a) IT companies providing hosting services, operating Internet domains and handling computer systems used by the Administrator,
    b) companies providing postal, courier and transport services to the Administrator – in order to deliver correspondence,
    c) companies providing other services to the Administrator, which are necessary for the Administrator's current operations, including in particular to organize and carry out a loyalty program, partnership program or a competition.
12. The personal data of the Customers are not subject to profiling by the Administrator within the meaning of the provisions of the GDPR.
13. According to the provisions of the GDPR, the Customers have the right to:
    a) be informed about the processing of personal data referred to in Article 12 GDPR,
    b) to access their personal data, referred to in Article 15 GDPR,
    c) to correct, supplement, update, rectify personal data referred to in Article 16 GDPR,
    d) the erasure of data (right to be forgotten), as referred to in Article 17 GDPR,
    e) restrictions of processing referred to in Article 18 GDPR,
    f) the data portability referred to in Article 20 GDPR,
    g) to object to the processing of personal data as referred to in Article 21 GDPR,
    h) in case of the legal basis referred to in point 8 letter d above - the right to withdraw consent at any time without affecting the lawfulness of the processing carried out on the basis of consent prior to its withdrawal,
    i) not to be subject to the profiling referred to in Article 22 in conjunction with Article 4 point 4 GDPR,
    j) lodge a complaint with a supervisory authority (to the President of the Personal Data Protection Office), referred to in Article 77 GDPR,
    considering the rules of using and realizing these rights under the GDPR regulations.
14. If the Customers wish to exercise their rights referred to in the previous point, please send a message by e-mail or in writing to the e-mail address or correspondence address referred to in point 15 below.
15. All inquiries, requests and complaints concerning the processing of personal data by the Administrator, hereinafter referred to as Applications, should be sent to Administrator’s address in accordance with headquarters of the company.
16. The content of the Application must clearly indicate:
    a) the person(s) concerned by the Application,
    b) the event that is the reason for the Application,
    c) your demands and the legal basis for those demands,
    d) the expected way the matter will be handled.
17. Each identified case of breach of security is documented and in the event of one of the situations specified in regulations of GDPR or the Act, the data subjects are informed about such a breach of regulations of personal data protection and, if applicable, UODO.