menu

Privacy Policy - STAR DIGITAL

  1. GENERAL PROVISIONS 
    1. This Privacy Policy is for informational purposes, which means that it does not establish obligations for service recipients or clients. The Privacy Policy primarily contains rules regarding the processing of personal data by the Personal Data Controller, including the grounds, purposes and scope of personal data processing, and the rights of data subjects.
    2. The Personal Data Controller is Star Digital spółka z ograniczoną odpowiedzialnością with its registered office in Warsaw, 17A Wita Stwosza Street, 02-661 Warsaw, hereinafter referred to as “Controller”.
    3. Personal data shall be processed by the Controller in accordance with applicable laws, in particular in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) - hereinafter referred to as “GDPR”.
    4. The Controller shall take special care to protect the interests of the persons whose personal data it processes, and in particular it shall be responsible and ensure that the data it collects are: (1) processed in accordance with the law; (2) collected for designated legitimate purposes and not subjected to further processing incompatible with those purposes; (3) substantially correct and relevant to the purposes for which they are processed; (4) stored in a form that allows identification of the persons to whom they relate for no longer than necessary to achieve the purpose of the processing, and (5) processed in a manner that ensures adequate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, by means of appropriate technical or organisational measures.
  2. WHAT IS PERSONAL DATA 
    1. Personal data is any information about an identifiable person whose identity can be determined directly or indirectly.
    2. Personal information does not include anonymous or non-personal information (i.e.: information that cannot be associated or linked to a specific person).
  3. GROUNDS FOR DATA PROCESSING 
    1. The Controller is authorised to process personal data in cases where, and to the extent that, one or more of the following conditions are met: (1) data subject has consented to the processing of his/her personal data for one or more specified purposes; (2) processing is necessary for the performance of a contract to which the data subject is a party, or to take action at the request of the data subject before concluding a contract; (3) processing is necessary for the fulfilment of a legal obligation of the Controller; or (4) processing is necessary for the purposes of legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
    2. Processing of personal data by the Controller requires the existence of at least one of the grounds indicated above each time. The specific grounds for processing personal data are provided in section 4 below.
  4. PURPOSE, BASIS, PERIOD, AND SCOPE OF DATA PROCESSING IN THE ONLINE STORE 
    1. Each time, the purpose, basis, period and scope and recipients of the personal data processed by the Controller result from the activities undertaken by the Controller.
    2. The Controller may process personal data for the following purposes, on the following grounds, during the following periods, and to the following extent:
Purpose of processing Legal basis Retention period
Performance of the contract Article 6 item 1 b) of the GDPR duration of the contract and for the period of the statute of limitations for claims, in accordance with Article 118 of the Civil Code (3 years or 10 years)
Contacting employees of the entity that is a party to the contract, being the realisation of our legitimate interest in it Article 6 item 1 f) of the GDPR duration of the contract and for the period of the statute of limitations for claims, in accordance with Article 118 of the Civil Code (3 years or 10 years) unless we obtain information about the termination of the person’s employment relationship beforehand
Establishing, investigating or defending against claims that are the realisation of our legitimate interest in it Article 6 item 1 f) of the GDPR duration of the contract and for the period of the statute of limitations for claims, in accordance with Article 118 of the Civil Code (3 years or 10 years)
Fulfilment of accounting obligations

Article 6 item 1 c) of the GDPR
Article 74 item 2.4 of the Accounting Acti

 period of 5 years from the year following the fiscal year in which operations and transactions were finally completed, settled or repaid
Offering products and services directly (direct marketing) and sending commercial information, i.e. realisation of our legitimate interest in it

Article 6 item 1 f) of the GDPR
or
Article 6 item 1 a) of the GDPR

 

 duration of the legitimate interest of the Controller, i.e. the duration of the contract or consent, after the termination of the contract

 

  1. DATA RECIPIENTS  
    1. For the proper functioning of the Controller and the provision of services, it is necessary to use the services of external entities (such as external accounting, courier services, or IT service providers). The Controller shall only use the services of such processing entities who provide sufficient guarantees to apply appropriate technical and organisational measures so that the processing meets the requirements of the GDPR and protects the rights of data subjects.
    2. The transfer of data by the Controller does not take place in every case and not to all recipients or categories of recipients indicated in the Privacy Policy – the Controller transfers data only when it is necessary to achieve a given purpose of personal data processing and only to the extent necessary for its realisation. 
    3. Personal data of the Controller’s service recipients and clients may be transferred to the following recipients or categories of recipients: 
      1. entities linked to the Controller via capital or personal links – in the event that the entities co-manage the data or mutually support each other in the provision of services..
      2. carriers / freight forwarders / courier brokers – in the case of a client to whom the goods must be delivered, the Controller provides the collected personal data of the client to the selected carrier performing shipments on behalf of the Controller to the extent necessary to complete the delivery of the product.
      3. entities handling electronic or credit card payments – when a client uses the method of electronic or credit card payments, the Controller provides the collected personal data of the client to the selected entity handling the above payments on behalf of the Controller to the extent necessary to handle the payment made by the client.
      4. service providers supplying the Controller with technical, IT and organisational solutions that enable the Controller to conduct its business, in particular computer software providers, email and hosting providers, and providers of business management and technical support software for the Controller. The Controller shall make the collected personal data of the Client available to the selected supplier acting on its behalf only in the case and to the extent necessary to fulfil the given purpose of data processing in accordance with this Privacy Policy.
      5. providers of accounting, legal and advisory services, debt collection services, providing accounting, legal or advisory support to the Controller (in particular, an accounting office, law firm or debt collection company) – the Controller shall make the collected personal data of the Client available to the selected provider acting on its behalf only in the case and to the extent necessary to achieve a given purpose of data processing in accordance with this Privacy Policy.
  2. PROFILING  
    1. The GDPR imposes an obligation on the Controller to inform about automated decision-making, including profiling, as referred to in Article 22 item 1 and 4 of the GDPR, and – at least in those cases – relevant information about the principles of decision-making as well as about the significance and anticipated consequences of such processing for the data subject. With this in mind, the Controller provides information on possible profiling in this section of the Privacy Policy.
    2. The Controller does not use the provided data for automated decision-making or profiling.
  3. RECRUITMENT 
    1. If the Controller receives a job application, the candidate’s personal data is, on the basis of Article 6 item 1 a), is used for: 
      1. assessment of skills, qualifications, and job suitability;
      2. communication regarding the recruitment process;
      3. compliance with laws and regulations. 
      4. making decisions about signing an employment contract or a contract providing another basis for employment. 
    2. The Controller will also store the data for the purpose of possible establishment, investigation or defense against claims being the realisation of our legitimate interest in doing so, i.e. on the basis of Article 6 item 1 f) of the GDPR.
    3. The Controller will retain candidates’ personal data for the duration of the recruitment process and for a maximum of 3 years from the date of its completion.
    4. If a consent to the processing of data for future recruitment processes is given, the Controller will retain the data for a maximum period of 5 years from the date of consent or until such consent is withdrawn.
  4. RIGHTS OF THE DATA SUBJECT 
    1. Right of access, rectification, restriction, erasure or portability – the data subject has the right to request from the Controller access to his/her personal data, to rectify it, erase it (“right to be forgotten”) or restrict its processing. The data subject also has the right to object to his/her data processing, and has the right to portability of his/her data. Detailed conditions for exercising the rights indicated above are indicated in Articles 15-21 of the GDPR.
    2. Right to withdraw consent at any time – a person whose data is processed by the Controller on the basis of expressed consent (pursuant to Article 6 item 1 a) or Article 9 item 2 a) of the GDPR), has the right to revoke consent at any time without affecting the legality of the processing performed on the basis of consent before its revocation.
    3. The right to lodge a complaint to a supervisory authority – a person whose data is processed by the Controller has the right to lodge a complaint to a supervisory authority in the manner and mode specified in the provisions of the GDPR and Polish law, in particular the Personal Data Protection Act. The supervisory authority in Poland is the President of the Office for Personal Data Protection.
    4. Right to object – the data subject has the right to object at any time, for reasons related to his/her particular situation, to the processing of personal data concerning him/her based on Article 6 item 1 e) and f) (legitimate interest of the Controller), including profiling under these provisions. In such a case, the Controller shall no longer be allowed to process such personal data unless the Controller demonstrates the existence of compelling legitimate grounds for the processing overriding the interests, rights and freedoms of the data subject, or grounds for the establishment, assertion or defense of claims.
    5. Right to object to direct marketing – if personal data is processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning him/her for such marketing, including profiling, to the extent that the processing is related to such direct marketing.
    6. In order to exercise the rights referred to in this section of the Privacy Policy, you may contact the Controller by sending an appropriate message in writing or by e-mail to the Controller’s address indicated at the beginning of the Privacy Policy.
  5. HOW YOUR PERSONAL DATA IS PROTECTED 
    1. The Controller undertakes, when processing entrusted personal data, to secure it by applying appropriate technical and organisational measures ensuring an adequate degree of security corresponding to the risks involved in the processing of personal data, as referred to in Article 32 of the Regulation.
    2. The Controller specifically undertakes to: 
      1. ensure the continued confidentiality and integrity of personal data by safeguarding it against unauthorised access, taking by an unauthorised person, processing in violation of applicable laws, and alteration, loss, damage or destruction;
      2. control the course of personal data processing at each stage,
      3. regularly test, measure and evaluate the effectiveness of the technical and organisational measures in place to ensure the security of processing, and to update it at the request of the Controller.
  6. FINAL PROVISIONS 
    1. In the event of changes in the law or in the event of a difference in interpretation, the generally applicable law shall prevail.

With reference to the entry into force on May 25, 2018 and the entry into force of the Act of August 29, 1997 on the protection of personal data (consolidated text of June 13, 2016, Journal of Laws of 2016, item 922) and in accordance with art. 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (general regulation on data protection ), we would like to inform you about your rights and for what purpose we process your personal data.

The administrator of personal data of customers and contact persons is:

Star Media SP. z o.o

Info