Personal Data Protection Policy

Pursuant to Article 24(2) in connection with Article 4 point (7) of regulation (EU) 2016/679 of the European Parliament and of the Council 2016/679 of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, this personal data protection policy is established.

I. Key definitions

For the purpose of this policy:

Controller

Sebastian Wilgosz is the controller of your personal data and sole proprietor doing business as wilgosz.pl – Media and IT Services Sebastian Wilgosz

correspondence address: ul. Antonia Vivaldiego, nr 48, lok. 7, 52-129 Wrocław;
e-mail address:info@hanamimastery.com;
web address: https://hanamimastery.comcom;
telephone number: (+48) 724 532 430;

Cookie

means a small piece of data sent from a website and stored on the user's computer by the user'sweb browserwhile the user is browsing. The cookie allows the website to "remember" arbitrary pieces of information that the user previously entered into form fields. Further information at:https://pl.wikipedia.org/wiki/HTTP_cookie;

Personal data

means any information relating to an identified or identifiable natural individual, for example, a name and a surname, PESEL No. (Personal ID No.), NIP (Tax Identification Number), REGON (the National Official Register of Business Entities), location data, an Internet Protocol (IP) address;

Client

means any entity to whom the controller provides services;

Personal data breach

means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

Recipient

means any person to whom the data are disclosed (including external accountants);

Restriction of processing

means where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State (Article 18(2) of the GDPR);

Processor

means a body which processes personal data on behalf of the controller;

Profiling

means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular personal preferences, interests, reliability;

Processing personal data

means any operation or set of operations which is performed on personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, restriction or erasure;

GDPR

is an abbreviation of the name of aregulation(EU) 2016/679 of the European Parliament and of the Council 2016/679 of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC;

Information society service

means any service normally provided for remuneration, at a distance, by means of electronic equipment, and at the individual request of a recipient of a service (including online purchasing, purchasing access to particular contents, online service);

Consent of the data subject

means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

II. How your personal data are processed?

  1. Processing shall be lawful only if and to the extent that at least one of the following applies (pursuant to Article 6(1) of the GDPR):

  1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

  2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

  3. processing is necessary for compliance with a legal obligation to which the controller is subject;

  4. processing is necessary for the purposes of the legitimate interests pursued by the controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. For this purpose, the controller checks which actions are suitable to meet the requirements of the legitimate interests and at the same time respect fundamental rights and freedoms.

  1. Processing shall be fair, which means that the data subject is informed of the principles of personal data processing at the time of the collection of personal data. In order to get more information on data processing, you should contact the controller by means indicated in point I of this policy.

  1. Processing shall be transparent to the client in such a way that the access and the alternation of the data, and the transfer of the data partially or whollyto a third party as per client’s request shouldbe easily accessible. This means that any information relating to the processing of personal data be easy to understand, clear and plain language be used.

  1. Personal data shall be collected for specified, explicit and legitimate purposes. Personal data are processed to a limited extent necessary to perform the duties, unless you gave the consent to process the data for other purposes.

  1. Personal data shall beadequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. The requested data are necessary to provide the services.

  1. Personal data shall beaccurate and kept up to date. The controller ensures that every reasonable step will be taken to ensure that personal data that are inaccurate (having regard to the purposes for which they are processed or the content) are erased or rectified without delay. The procedure laid down in point III of this policy facilitates the process of erasing or rectifying the data.

  1. The data are processed only for a period necessary for the purpose for which they are processed. Your data, after the contract execution, are deleted without delay, unless you gave the consent to process the data for other purposes than the contract execution.

  1. The data are processed with integrity and confidentiality. The controller provides appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. For further information, please refer to point IV and V of this policy.

III. Your rights in relation to personal data protection processing

Pursuant to Article 12(1) of the GDPR, you have the following rights:

  1. The controller shall provide information on action taken on a request of the data subject (Article 12(3) of the GDPR);

  2. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed (Article 15 of the GDPR);

  3. The data subject shall have the right to obtain access to the following information: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipient to whom personal data have been or will be disclosed; where possible, the envisaged period for which personal data will be stored, or, if not possible, the criteria used to determine that period; where personal data are not collected from the data subject, any available information as to their source (Article 15 of the GDPR);

  4. The data subject shall have the right to obtain from the controller the rectification of inaccurate personal data concerning him or her, erasure, and restriction of processing (Article 16-18 of the GDPR);

  5. The controller shall provide a copy of personal data undergoing processing in a chosen form. A reasonable fee may be charged depending on the data storage device and data volume (Article 15(3) of the GDPR);

  6. The data subject shall have the right to receive personal data concerning him or her for transmitting to other controller or to have personal data transmitted directly from one controller to another (Article 20 of the GDPR);

  7. The data subject shall have the right to object to the President of the Office of Personal Data Protection (Article 21 of the GDPR). The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds (for further information, please refer to point II of this policy). The data subject shall have the right to object to processing of personal data for profiling and direct marketing purposes;

  8. The data subject shall have the right to lodge a complaint to the President of the Office of Personal Data Protection if the data subject considers that the processing of personal data relating to him or her infringes the GDPR (Article 77 of the GDPR);

  9. The data subject shall have the right to an effective judicial remedy against the controller or other body processing his or her data under the Civil Code where the data subject considers that his or her rights under the GDPR have been infringed as a result of the processing of his or her personal data in non-compliance with the GDPR (Article 78 of the GDPR). Court proceedings for exercising this right shall be brought before the courts competent under the Code of Civil Procedure;

  10. The data subject shall have the right to compensation and liability if the data subject has suffered material or non-material damage as a result of an infringement of the GDPR (Article 82 of the GDPR). Court proceedings for exercising the right to receive compensation shall be brought before the courts competent under the Code of Civil Procedure.

The requests mentioned in points 1-6 shall be made in a written form and sent to the controller’s correspondence address or by electronic means. The controller responds to requests in the form requested by the data subject.

The controller shall provide information on action taken on a request to the data subject within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request.

Any communication and any actions taken shall be provided free of charge, unless otherwise specified. If the requests are made more often than once a month, the controller will charge a fee for providing the information or taking the action requested. Where requests from a data subject are manifestly unfounded or excessive, the controller may refuse to act on the request. The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

IV. The technical and organizational data protection measures

In order to protect the rights in relation to personal data protection, the below measures have been implemented:

  1. The below personal data protection policy is introduced and is binding on the data controller and clients;

  2. The records of processing activities are documented and available to clients and the supervisory authority on demand;

  3. At the time of contract, the forms for referring to the appropriate bodies for the execution of data protection rights are shared.

V. The principles of data protection by design and data protection by default

  1. The controller ensures that the data protection system minimises the possibility of a personal data breach (privacy by design). For this purpose, the controller:

  1. stores personal data on separate data storage devices without internet access in order to minimise the loss of personal data;

  2. stores personal data on servers providing reliable data protection measures;

  3. uses licensed and effective antivirus software in order to minimise the possibility of accidental data loss or unauthorised access to the data;

  4. collects data only for the purpose of the performance of the tasks.

  1. The controller ensures that, by default, only personal data which are necessary for each specific purpose of the processing are processed (privacy by default). That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.

For this purpose, personal data are collected through appropriate forms on the website and contracts, which do not collect insignificant data. Moreover, data are disclosed only to entities necessary to perform the services.

VI. Profiling. Managing cookies

VI. Automatic data processing

The controller uses the below automatic data processing tools:

  1. Google Analytics

Google Analytics is a web analyticsservice offered by Google Inc. with its registered office in Mountain View, 1600 Amphitheatre Parkway, CA 94043, USA.

It is a website traffic analysis tool. It generates reports in relation to collecting website traffic data. Further information at: http://www.ittechnology.us/ebook-google-analytics/.

Google Analytics respects privacy policy of “EU-US Privacy Shield” and is registered in EU-US Privacy Shield program designed by the U.S. Department of Commerce. EU-US Privacy Shield is a framework for exchanges of personal data for commercial purposes between the European Union and the United Statesto maintain the appropriate level of protection of data transferred from the Union to the United States.

More information regarding Google and Privacy Shield at: https://support.google.com/analytics/answer/7105316?hl=en.

The client has the possibility to disable being tracked and resign from data processing by Google through installing the Google Analytics opt-out browser add-on (available for download at: https://support.google.com/analytics/answer/181881?hl=pl).

  1. Mailchimp

Mailchimp is a Georgia limited liability company whose legal name is The Rocket Science Group LLC d/b/a Mailchimp

The controller uses Mailchimp in order to exchange information with clients. It facilitates the review of established arrangements, evaluates client’s needs and provides high service quality. Further information at: https://mailchimp.com/.

The personal data are disclosed by the controller to Mailchimp only in the scope necessary for the purpose of using their services (sending emails to clients). The Mailchimp company stores data in accordance with the highest security standards and encrypted connections with SSL certificate. The Privacy Policy located at https://mailchimp.com/legal/applies to the protection of personal data processed by Mailchimp.

The controller uses Mailchimp only send emails to the clients who explicitly registered to the newsletter. The resignation from Mailchimp services can be executed by cancelling subscription in any email sent to the client, or solely by client’s request in a written form sent to the controller’s correspondence address or by electronic means.

  1. Hubspot

These are services provided by HubSpot, Inc., 25 First Street, 2nd Floor, Cambridge, MA 02141 USA.

The controller uses HubSpot in order to archive information exchange with clients. It facilitates the review of established arrangements, evaluates client’s needs and provides high service quality. Further information at: https://www.hubspot.com

The personal data are disclosed by the controller to HubSpot only in the scope necessary for the purpose of data storage (archiving information exchange with clients). The Hubspot company stores data in accordance with the highest security standards and encrypted connections with SSL certificate. The Privacy Policy located at https://legal.hubspot.com/privacy-policyapplies to the protection of personal data processed by HubSpot.

The controller uses HubSpot to archive information exchange with all clients. The resignation from HubSpot services shall be executed solely by client’s request in a written form sent to the controller’s correspondence address or by electronic means. The resignation from HubSpot services bears such consequences as the loss of the abovementioned functionalities and benefits.

  1. Digital Ocean

These are services provided by Digital Ocean, Inc. with its registered office in New York , 101 Avenue of the Americas, 10th Floor, NY 10013.

Digital Ocean is a hosting company providing cloud platform to external users. The controller stores there application codes and database.

Digital Ocean Inc. respects privacy policy of “EU-US Privacy Shield” and is registered in EU-US Privacy Shield program designed by the U.S. Department of Commerce., which guarantees the proper level of personal data protection stored in Digital Ocean servers. For further information on EU-US Privacy Shield, please refer to point VI(1) of this policy.

Digital Ocean having regard to its activity classification (providing cloud platform) does not use the data provided by users. The Privacy Policy located at https://www.digitalocean.com/legal/privacy/applies to the protection of personal data processed by Digital Ocean.

The usage of external servers provided by Digital Ocean is necessary to conduct business in the current scope and at the expected level of services. The resignation from the services provided by Digital Ocean means the resignation from the services provided by the controller.

  1. IFIRMA – accounting services

The controller uses accounting services offered by IFIRMA S.A. with its registered office in Wrocław, ul. Grabiszyńska 241B, 53-234 Wrocław, NIP (Tax Identification Number) 898-16-47-572, REGON (the National Official Register of Business Entities) 931082394, KRS (the National Court Register) 0000281947.

The controller transfers the personal data of the clients to IFIRMA S.A. only in the scope necessary for performing accounting services. The Privacy Policy located athttps://www.ifirma.pl/rodo/polityka-prywatnosci-ifirma-plapplies to the protection of personal data processed by IFIRMA S.A.

Processing personal data by IFIRMA S.A. is necessary to perform the duties laid down on the controller, as provided in applicable law  (the Act of 29 September 1994 on accounting Journal of Laws 2018, item 395 as amended), therefore the controller has a right to process the data independently of data subject consent (Article 6(1)(c) of the GDPR).

  1. VAT invoice issuance – ifirma.pl 

The controller uses VAT invoice issuing services offered by IFIRMA S.A. with its registered office in Wrocław, ul. Grabiszyńska 241 B, 53-234 Wrocław.

The controller transfers personal data of the clients to IFIRMA S.A. only in the scope necessary for issuing VAT invoices.

The Privacy Policy located at https://www.ifirma.pl/polityka-prywatnosci-i-ochrona-danych-osobowychapplies to the protection of personal data processed by IFIRMA S.A.

Processing personal data by IFIRMA S.A. is necessary to perform the duties laid down on the controller, as provided in applicable law  (the Act of 11 March 2004 on tax on goods and servicesJournal of Laws 2017, item 1221 as amended), therefore the controller has a right to process the data independently of data subject consent (Article 6(1)(c) of the GDPR).

Final provisions

  1. This Personal Data Protection Policy is binding on the controller and the client. It does not cover the relations between the clients and bodies indicated on this website in the form of direct links or in another form. The way personal data are protected by abovementioned bodies is determined by separate regulations established by these bodies.

  2. Any changes to this Personal Data Protection Policy may arise from the change to legal provisions and technological progress. The controller shall notify without delay on any amendments to this policy.