I. DEFINITIONS
Whenever the following terms are capitalised in this Privacy Policy, they should be understood in the meanings specified in the following definitions:
-
- Controller – Against Gravity Sp. z o.o. with its registered office in Warsaw, at ul. Bukowińska 26c/12, 02-703 Warsaw, Poland, registered at the District Court for the Capital City of Warsaw in Warsaw, 12th Commercial Division of the National Court Register, entry number: KRS 0000199919, share capital: PLN 50,000 (fully paid up), NIP (taxpayer ID): 5262757178, REGON (statistical ID): 015682568. In any and all matters concerning personal data protection, we can be contacted by e‑mail at: kontakt@againstgravity.pl or by regular post at: Against Gravity Sp. z o.o., ul. Bukowińska 26c/12, 02-703 Warsaw, Poland.
- Personal Data – any and all information about a natural person, whether identified or identifiable by one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity – as long as these factors enable identification of the User, including the IP of the device, location data, online identifier and details collected through cookies and other similar technology.
- Policy – this Privacy Policy.
- GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), and the provisions regulating situations covered by the Polish Act of 18 July 2002 on the provision of electronic services (Dz.U. of 2017, item 1219, as amended).
- Website – the website maintained by the Controller at mdag.pl.
- User – any natural person visiting the Website or using one or more services or functionalities described in this Policy.
II. PROCESSING OF DATA AND/OR PERSONAL DATA IN CONNECTION WITH THE USE OF THE WEBSITE
- This Policy contains information concerning the processing of Personal Data collected during the User's use of the Website, as well as rules related to the use of cookies and/or other similar technologies.
- In connection with the User's use of the Website, the Controller collects data to the extent necessary to provide specific services offered, as well as information about the User's activity on the Website, in particular information collected through cookies. Cookie files collected as part of using the Website serve to identify the User, and the User's identity is established on their basis. Despite the fact that cookies do not serve to identify the User, cookies combined with other unique identifying information concerning the User may constitute personal data.
- In the event that Users are enabled to use additional functionalities, such as using a contact form or ordering a newsletter, relevant details concerning the processing of Personal Data and the scope of the processing thereof will be made available for the aforementioned functionalities when such data are collected.
- Creating a User Account is voluntary (the User is not legally obliged to create an account; however, providing Personal Data is a pre-condition for creating a User Account on the Website). To create a User Account on the Website, the User needs to fill in a registration form where the User provides certain data. The form contains mandatory data that the User is required to provide, and optional data that the User may or may not provide. When a User has registered on the Website, Personal Data provided by the User and information about the User's use of the Website will be processed.
The provision of Personal Data is not a statutory requirement, i.e. the User is not legally obliged to provide data for the purpose of creating an account on the Website. At the same time, provision of the data marked as mandatory is a pre‑condition for creating an account on the Website. Failure to provide the data marked as mandatory prevents the User from creating an account on the Website and from using the functionalities that can only be used after creating an account, as set out in the Terms and Conditions of the Website.
-
- Below described are the detailed rules and purposes of processing Personal Data collected during the User's use of the Website.
- The Controller carries out processing operations for the following categories of Personal Data (if made available to the Controller):
- The service user's electronic addresses, e-mail,
- Full name,
- User's VAT identification number, for businesses,
- Business name (if provided),
- PESEL registration number or, if no PESEL number has been issued, passport number, identity card number or number of another identity document (if required to sign the contract),
- Mailing address, if different from the address referred to above,
- User's IP address.
- After filling in the contact form or subscribing to a newsletter, the User receives access to this Privacy Policy and data about the Controller. The provision of Personal Data is voluntary but required to contact the Controller or receive the newsletter.
- Provision of Personal Data is not required for viewing the content of the website except for automatically received data about connection parameters.
III. PURPOSES AND LEGAL GROUNDS FOR DATA PROCESSING ON THE WEBSITE. USING THE MDAG.PL WEBSITE
- Personal Data of all persons who use the Website (including the IP address or other identifiers and details collected via cookies or other similar technologies) who are not registered Users (i.e. who do not have a profile on the Website) are processed by the Controller:
- in order to provide services by electronic means related to the provision of the content accumulated on the Website, saving information about selected screenings and events, making bookings within the Mój Festiwal (My Festival) service, providing contact forms – in this case the processing is based on the necessity of data processing for the performance of the contract (Article 6(1)(b) of the GDPR);
- for analytical and statistical purposes – in this case the processing is based on the Controller's legitimate interest (Article 6(1)(f) of the GDPR) consisting in analysing Users' activities and preferences in order to improve the existing functionalities and services provided;
- to fulfil the obligations under the law, in particular for the purposes of determining and asserting claims or defence against claims, if any – in this case, the processing is based on the Controller's legitimate interest (Article 6(1)(f) of the GDPR) consisting in the protection of its rights;
- for marketing purposes of the Controller and other entities (Trusted Partners), in particular those related to the presentation of behavioural advertising – the rules of personal data processing for marketing purposes are described in the "MARKETING" section hereof, provided that the User has given his/her relevant consent; as well as for other marketing-related activities, i.e. in particular satisfaction surveys.
- The User's Personal Data will be processed with User's consent for the marketing purposes of the Controller's Partners, in particular those related to the presentation of behavioural advertising pursuant to Article 6(1)(a) of the GDPR.
- The User's activities on the Website, including his/her personal data, are recorded in system logs (a special computer register used to store chronological records with information on events and actions concerning the IT system used by the Controller to provide its services). The information collected in the logs is processed in connection with the provision of services. The Controller also processes such information for technical purposes, in particular when the data may be temporarily stored and processed in order to ensure security and correct operation of IT systems, e.g. in connection with backup copies, tests of changes to IT systems, detection of irregularities or protection against abuse and attacks.
IV. REGISTRATION ON MDAG.PL
- Individuals who register on the Website are asked to provide the data necessary to create and operate their account. To facilitate handling, the User may provide additional data, thus consenting to their processing. Such data may be deleted at any time. The provision of data marked as mandatory is required in order to create and operate an account, and failure to provide such data results in the lack of possibility to create an account. The provision of other data is voluntary.
- Personal Data are processed:
- in order to provide services related to the maintenance and operation of an account on the Website – in this case, the processing is based on the necessity of the processing for the performance of a contract (Article 6(1)(b) of the GDPR), and with regard to the data provided on an optional basis – the processing is based on consent (Article 6(1)(a) of the GDPR);
- for analytical and statistical purposes – the processing is based on the Controller's legitimate interest (Article 6(1)(f) of the GDPR) consisting in analysing Users' activity on the Website and the manner of using the account, as well as their preferences in order to improve the functionalities applied;
- to fulfil the obligations under the law, in particular for the purposes of determining and asserting claims or defence against claims, if any – in this case, the processing is based on the Controller's legitimate interest (Article 6(1)(f) of the GDPR) consisting in the protection of its rights.
- If the User places any Personal Data of other persons on the Website (including their name, address, telephone number or e-mail address), the User may do so only on condition that they do not violate the provisions of applicable law and personal interests of those persons. The Controller does not require Users to provide Personal Data of other persons.
V. MARKETING
DIRECT MARKETING
- If the User has consented to receive marketing information by e-mail, SMS and other electronic means of communication, the User's Personal Data will be processed to send such information. The data processing is based on the Controller's legitimate interest, consisting in sending marketing information within the limits of the consent granted by the User (direct marketing). The User has the right to object to data processing for direct marketing, including profiling. The data will be stored for the aforementioned purpose for the period of the Controller's legitimate interest, unless the User objects to receiving marketing messages.
VI. SOCIAL MEDIA
-
- The Controller processes the Personal Data of Users who visit the Controller's profiles in social media (Facebook, YouTube, Instagram, Twitter, Google+, Pinterest, FreshMail Sp. z o.o., MailChimp). These data are processed only in connection with maintaining the profile, in order to inform Users about the Controller's activity and to promote various events, services and products, as well as to communicate with Users through the functionalities available in social media. For these purposes, the processing is based on the Controller's legitimate interest (Article 6(1)(f) of the GDPR) consisting in promoting its own brand as well as building and maintaining a community around the brand.
- The Controller may share information about the User's IP address and browser ID.
- The User's data will be made available to other recipients in connection with the optimisation of Facebook advertising (activity record) and Controller's social media (activity record). The User Data will be received by Facebook Ireland Limited (4 Grand Canal Square, Dublin, Ireland, Dublin 2).
- In connection with the transfer of data to Facebook Ireland, User Data (statistics of website access, product purchase history) may be made available to Facebook's partners, and also transferred to the USA under the standard contractual clauses approved by the European Commission. Information about the data processing rules and the possibility of exercising User's rights under the GDPR is provided in "Data Policy": https://www.facebook.com/privacy/explanation
- The User's data will be made available to other recipients in connection with the optimisation of Facebook advertising (activity record) and Controller's social media (activity record). The User Data will be received by Facebook Ireland Limited (4 Grand Canal Square, Dublin, Ireland, Dublin 2).
- The Website uses the so-called social plugins offered by Instagram, handled by Instagram LLC, 1601 Willow Road, Menlo Park, CA 94025, USA (hereinafter: "Instagram") – IP address. Instagram's privacy policy can be found here: https://help.instagram.com/155833707900388/
- The Website uses the so-called social plugins offered by Pinterest Europe Ltd., an Irish company based at: Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland – IP address. Pinterest's privacy policy can be found here: https://policy.pinterest.com/pl/privacy-policy
- The transfer of personal data outside the EEA may take place in connection with the Controller's use of analytical or advertising services provided by Google LLC, including Google Adwords and Google Analytics – statistical data, information about IP addresses. In this case, the transfer will take place to the United States of America on the basis of the European Commission's decision (the so-called "Privacy Shield"), stating that an adequate level of Personal Data protection is ensured for entities participating in the programme, including the provider of the aforementioned services: Google LLC, Mountain View, California. Data collection and processing rules are available at the following address: www.google.com/intl/pl/policies/privacy/partners/. Google also processes User's personal data in the USA, regulated by the EU-US Privacy Shield: https://www.privacyshield.gov/EU-US-Framework.
- The Website uses the so-called YouTube plugins, operated by YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA ("YouTube") – IP address. YouTube is a platform for playing audio and video files. More information on the purpose and scope of data collection and processing by YouTube can be found in the Privacy Statement. It also provides further information about User's rights and settings to protect User's privacy: https://policies.google.com/privacy?hl=pl&gl=pl.
- The Website uses the so-called Twitter plugins. Twitter is operated by Twitter Inc., 1355 Market St, Suite 900, San Francisco, CA 94103, USA ("Twitter") – IP address. An overview of Twitter plugins and their appearance can be found here: https://twitter.com/about/resources/buttons; information about Twitter's privacy policy can be found here: https://twitter.com/privacy.
- In order to manage the list of users, the Controller uses the Mailchimp service, where some of the Users' data are stored. Mailchimp is a service for managing address lists and e-mailing, provided by Mailchimp Inc. based in the USA. Mailchimp has its own privacy policy at: https://mailchimp.com/legal/privacy/.
- In order to manage the list of Users, the Controller uses a FreshMail product – a service for managing address lists and e-mailing. FreshMail is Polish limited liability company with its registered office in Krakow, entered into the Register of Entrepreneurs of the National Court Register by the District Court for Krakow-Śródmieście in Krakow, 11th Commercial Division of the National Court Register, entry No.: KRS 0000497051. FreshMail's privacy policy is available at the following address: https://freshmail.pl/polityka-prywatnosci/
- In order to send e-mail messages to Users, the Administrator uses SendGrid, an email solution delivered by Twilio Ireland Limited. Twilio Ireland Limited, 25-28 North Wall Quay, Dublin 1, Ireland. Twilio Ireland Limited’s privacy policy is available at https://www.twilio.com/legal/privacy
- In principle, Personal Data are not transferred to a third country or an international organisation outside the European Economic Area (EEA). However, such transfers may take place to the extent described below.
VII. MOBILE APPLICATIONS
-
- The Controller processes Users' personal data also in order to enable the use of services offered on the Website, as well as additional services via mobile applications (apps) (Facebook, YouTube, Instagram, Twitter, Google +, Pinterest, FreshMail Sp. z o.o., MailChimp, Twilio Ireland Limited). Users' data are processed for registration and use of mobile apps. The data processing in this respect is based on the necessity to perform the contract (Article 6(1)(b) of the GDPR).
- By means of mobile apps, Users may, in particular: browse the product range of the Website, access their account on the Website, place orders and make payments for them, familiarise themselves with the information available in the mobile app and use other functionalities available in the mobile app. The Controller hereby advises that due to technical limitations the mobile app does not provide all functionalities of the Website available through the Website.
VIII. COOKIES AND SIMILAR TECHNOLOGY
- Cookie files are IT data, in particular small text files, which are stored in the Website User's end device and are designed to use the Website. Cookies collect information which facilitates the use of the Website, e.g. by remembering User's visits to the Website and actions performed by the User. Cookies usually contain the name of the source website they originate from, the storage time on the end device and a unique number.
SERVICING COOKIES
- The Controller uses the so-called servicing cookies, primarily to provide the User with services provided electronically and to improve the quality of those services. Consequently, the Controller as well as other entities which provide analytical and statistical services to the Controller use cookies, storing information or gaining access to information already stored in the User's end device (computer, telephone, tablet, etc.).
2.1 The cookies used for this purpose include:
-
- user input cookies with data entered by the User (session ID) for the duration of the session;
- authentication cookies used for services that require authentication during the session;
- user centric security cookies to ensure security, e.g. to detect misuse of authentication;
- multimedia player session cookies (e.g. Adobe Flash Player cookies), for the duration of the session;
- user language customization cookies – persistent cookies to personalise the User's language for the duration of the session or slightly longer,
- shopping cart cookies to remember the content of 'My Festival’ for the duration of the session.
- Cookies which are used to monitor website traffic, i.e. data analytics, including Google Analytics cookies (i.e. files used by Google to analyse the way the User uses the Website, to create statistics and reports for the Website). Google does not use the collected data to identify the User nor does it link this information to enable identification. Detailed information on the scope and rules of data collection in connection with this service can be found at the following website: https://www.google.com/intl/pl/policies/privacy/partners.
- Users can change their privacy settings in the relevant options in their web browser or application.
- Users can delete cookies from their device on their own. In order to erase cookies from the User's end device (computer, telephone, tablet, etc.), the browser cache must be cleaned and cookies must be deleted. The cache cleaning and deletion of cookies should be done in the browser settings. The settings may vary, depending on the browser and its version.
IX. THE PERIOD OF PERSONAL DATA PROCESSING
1. The period of data processing by the Controller depends on the type of service provided and the purpose of processing. In principle, data are processed for the duration of the service provision or the execution of an order, until the withdrawal of the consent or effective objection to data processing in cases where data processing is based on the Controller's legitimate interest.
2. The duration of data processing may be extended where the processing is necessary for the establishment and assertion of possible or defence against claims, if any, and thereafter only if and to the extent required by law. After the processing period has expired, the data are either irreversibly erased or anonymised.
3. Personal Data will be processed until the User deletes their account on the Website, and then for the following period:
-
- the period provided for the implementation of the obligations arising from the legal provisions regarding defence, security of the country, and public safety and order, as well as from tax and accounting regulations,
- the period of limitation of claims and until the completion of civil, enforcement-related, administrative and criminal proceedings which require data processing and, in the case of consent, until the purpose of consent has been achieved or consent has been revoked, whichever comes earlier.
X. USER RIGHTS
1. Data subjects have the following rights:
- The right of access to data and information about the processing of Personal Data – on this basis, the Controller will provide the person making such a request with information about the processing of personal data, including, above all, about the purposes and legal basis of the processing, the scope of the data held, the subjects to whom the Personal Data are disclosed and the proposed date of deletion of Personal Data;
- The right to obtain a copy of the data – on this basis, the Controller will provide a copy of the processed data relating to the person who makes the request;
- The right to request the rectification of data – on this basis, the Controller will remove inconsistencies or errors, if any, concerning the personal data being processed, and will complete or update the date if incomplete or changed;
- The right to have data erased – the 'right to be forgotten' – on this basis, the User may demand the erasure of data which no longer need to be processed for any of the purposes for which they were collected;
- The right to restrict the processing – on this basis, the Controller will cease to carry out operations on the Personal Data, except for the operations to which the Data Subject has consented and except their storage in accordance with the adopted retention rules, or until the reason for restriction of processing has ceased to exist (e.g. a decision of a supervisory authority is issued, authorising further processing);
- The right to data portability – on this basis, to the extent to which the data are processed in connection with a contract signed or consent given, the Controller will release the data provided by the Data Subject in a computer-readable format. It is also possible to demand that the data be sent to another entity – however, this can be done on condition that there are technical possibilities in this respect both on the part of the Controller and that other entity;
- The right to object to the processing of data for marketing purposes – the Data Subject may at any time object to the processing of their personal data for marketing purposes without having to justify such an objection;
- The right to object to other purposes of data processing – the Data Subject may at any time object to the processing of their Personal Data on the basis of the Controller's legitimate interest (e.g. for analytical or statistical purposes or for reasons related to the protection of property). An objection in this regard should contain a justification and will be subject to the Controller's review;
- The right to withdrawal of consent – if the data are processed on the basis of consent, the Data Subject has the right to withdraw such consent at any time, but this does not affect the lawfulness of the processing carried out before the consent was withdrawn;
- The right to lodge a complaint – if it has been established that the processing of Personal Data violates the provisions of the GDPR or other data protection regulations, the Data Subject may lodge a complaint with the President of the Personal Data Protection Office (UODO).
- Requests for the exercise of the rights of data subjects may be made:
a. in writing, to the following address: Against Gravity, ul. Bukowińska 26C / 12, 02-703 Warsaw, Poland;
b. by e-mail, to the following address: kontakt@againstgravity.pl
c. the request should, as far as possible, precisely specify the request, i.e. it should indicate in particular:
- which right the User wishes to exercise (e.g. the right to receive a copy of the data, the right to have the data erased, etc.);
- which processing process the request pertains to (e.g. use of a specific service, activity on a specific website, receiving a newsletter with commercial information to a specific e-mail address, etc.);
- the processing purposes covered by the request (e.g. marketing purposes, analytical purposes, etc.).
- If the Controller is unable to determine the content of the request or to identify the User who has submitted the request based on the request made, the Controller will request additional information from the applicant.
- Response to applications will be made within one month of receipt. If this period needs to be extended, the Controller will inform the applicant of the reasons for such an extension.
- A response will be sent to the e-mail address the application was sent from, or, in the case of applications submitted by regular post, by ordinary letter to the address indicated by the applicant, unless the letter indicates that the response should be sent to an e‑mail address (in which case the e-mail address must be provided).
XI. DATA RECIPIENTS
1. In connection with the provision of services, Personal Data will be disclosed to external entities, in particular to suppliers responsible for the operation of IT systems – i.e. entities such as banks and payment operators, entities providing accounting, legal, auditing, consulting services, couriers (in connection with the execution of orders), marketing agencies (with regard to marketing services) and entities related to the Controller, including its business partners. In case of a purchase made from an entity other than the Controller, via Eventival, PayPal and PayU platforms, the User data will be disclosed to the seller in order to conclude and execute a sales contract;
2. If the User's consent has been obtained, the User's data may also be made available to other entities for their own purposes, including marketing purposes.
3. The Controller reserves the right to disclose selected information concerning the User to competent authorities or third parties who request such information on a relevant legal basis and in accordance with the applicable provisions of law.
4. Upon the User's consent, access to information on using the Website may be provided to Trusted Partners (Studio Kropka s.c. Piotr Szyngiera, Krzysztof Kijak, Katarzyna Tomaszewska; Network Automation Systems Dawid Zając, bSimple - Bartłomiej Moszyński), who use cookies or similar technologies to collect and process personal data in order to personalise the content. Trusted Partners cooperating with the Controller in connection with the use of their services or tools which allow, among others, the personalisation of the content and services offered on the Website, belong to the following categories: advertisers, media houses, companies which offer tools for managing advertising campaigns and owners of websites, in particular: Google, Facebook.
XII. TRANSFER OF DATA OUTSIDE THE EEA
- The level of personal data protection outside the European Economic Area (EEA) is different from that provided by the EU law. For this reason, the Controller transfers Personal Data outside the EEA only when necessary and with an adequate level of protection, primarily through the following:
- cooperation with entities which process Personal Data in countries where a relevant decision has been issued by the European Commission;
- the use of standard contractual clauses issued by the European Commission;
- application of binding corporate rules, approved by the competent supervisory authority;
- in the case of data transfer to the USA – cooperation with entities which participate in the Privacy Shield programme, approved by the European Commission in its decision.
- The Controller always provides information about the intention to transfer Personal Data outside the EEA at the stage when Personal Data are collected.
- The User's personal data may be transferred to countries/international organisations outside the European Economic Area if these countries/organisations have been recognised by a decision of the European Commission as ensuring an adequate level of Personal Data protection versus the level of protection in force in the European Economic Area, or provided that appropriate safeguards are in place, where such safeguards may consist in the use of binding corporate rules, standard data protection clauses adopted by the European Commission, standard data protection clauses adopted by the President of the Personal Data Protection Office (UODO), or contractual clauses authorised by the President of the Personal Data Protection Office. Personal Data may be transferred outside the EEA under the terms and conditions described in this Privacy Policy.
XIII. PERSONAL DATA SECURITY
1. The Controller conducts an ongoing risk analysis to ensure that the Personal Data are processed in a secure manner, ensuring in particular that only authorised individuals have access to the data and only to the extent necessary for the performance of their tasks. The Controller ensures that all operations involving Personal Data are recorded and performed only by authorised employees and collaborators.
2. The Controller takes all necessary steps to ensure that its subcontractors and other cooperating entities (Studio Kropka s.c. Piotr Szyngiera, Krzysztof Kijak, Katarzyna Tomaszewska; Network Automation Systems Dawid Zając, bSimple - Bartłomiej Moszyński) guarantee the application of appropriate security measures whenever they process Personal Data upon the Controller's order.
XIV. CONTACT DETAILS
1. The Controller can be contacted via e-mail at: kontakt@againstgravity.plor by regular mail at: Against Gravity Sp. z o.o. , ul. Bukowińska 26C/12, 02-703 Warsaw, Poland.
XV. AMENDMENTS TO PRIVACY POLICY
1. This Privacy Policy is reviewed on an ongoing basis and updated as necessary.
LIST OF TRUSTED PARTNERS
Studio Kropka s.c. Piotr Szyngiera, Krzysztof Kijak, Katarzyna Tomaszewska (ul. Kupa 3/14, 31-057 Krakow, Poland)
Network Automation Systems Dawid Zając (Radzymińska 10/36, 03-752 Warsaw, Poland)
bSimple - Bartłomiej Moszyński (ul. Kopińska 27/22, 02-327 Warsaw, Poland)
Facebook Ireland Limited (4 Grand Canal Square, Dublin, Ireland, Dublin 2) – the link to its privacy policy is available above.
Instagram, handled by Instagram LLC, 1601 Willow Road, Menlo Park, CA 94025, USA – the link to its privacy policy is available above.
Pinterest Europe Ltd., an Irish company based at Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland – the link to its privacy policy is available above.
Google LLC, Mountain View, California – the link to its privacy policy is available above.
YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA – the link to its privacy policy is available above.
Mailchimp Inc. based in the USA – the link to its privacy policy is available above.
Twitter Inc., 1355 Market St, Suite 900, San Francisco, CA 94103, USA – the link to its privacy policy is available above.
FreshMail spółka z ograniczoną odpowiedzialnością (a Polish limited liability company with its registered office in Krakow), KRS: 0000497051 – the link to its privacy policy is available above.
Twilio Ireland Limited, 25-28 North Wall Quay, Dublin 1, Ireland - the link to its privacy policy is available above.
SparkPost, 9160 Guilford Road, Columbia, MD 21046, USA - the link to its privacy policy is available above.