of CO3 spółka z ograniczoną odpowiedzialnością (Limited Liability Company)
- Controller – it means the controller of Personal Data within the meaning of Article 4(7) of the GDPR, namely CO3 Spółka z ograniczoną odpowiedzialnością with its registered office in Bielany Wrocławskie (55-040), ul. Irysowa 1, NIP: 8961583248, for which the District Court for Wrocław Fabryczna in Wrocław, 6th Commercial Division of the National Court Register maintains registration files in the Register of Entrepreneurs under the KRS number: 0000764323, e-mail: email@example.com.
- Software – it means the Internet browser used to access the Platform;
- Cookies – it means computer data, in particular text files, which are stored on the User’s Device and which facilitate the use of the Platform;
- Platform – it means the ICT system by means of which CO³ provides services electronically, as described in the General Contractual Terms and Conditions (GCTC), available at the following internet address: www.co3.eu/gctc;
- GDPR – it means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC – the legal act governing the protection of personal data;
- Device – it means the electronic device by which the User accesses the Platform, in particular: PCs, laptops, tablets, smartphones;
- User – it shall be understood to mean any entity who has a User account within the Platform, which entitles them to make use of the functionality of the Platform within the limits specified in the GCTC.
§ 2. General provisions
- The Controller ensures that it uses its best efforts to ensure that the processing of personal data by the Controller is carried out with the greatest respect for the privacy of the data subjects.
- The Controller shall ensure that technical and organizational measures are in place to ensure the protection of the processed personal data, appropriate to the risks and categories of data being protected, and in particular that the data is protected against its disclosure to unauthorized persons, acquisition by an unauthorized person, processing in violation of the Act, and change, loss, damage or destruction.
- The Controller shall comply with the following principles regarding the processing of personal data:
- processes personal data lawfully, fairly and in a transparent manner for the data subject;
- collects personal data for specified, explicit and legitimate purposes and does not further process it in a way incompatible with those purposes;
- processes personal data in a way that is adequate, relevant and limited to what is necessary for the purposes of the processing;
- personal data is processed correctly and is updated when necessary; the Controller takes all reasonable steps to ensure that personal data which is inaccurate in light of the purposes of its processing are erased or rectified without delay;
- keeps the personal data in a form which enables identification of the data subject for no longer than is necessary for the purposes for which the data is processed.
- The Controller may transfer Personal Data to a third country, i.e. outside the European Economic Area (EEA), in order to enable Users outside the EEA to use the services of the Platform. This transfer can take place to:
- countries where the European Commission has issued adequacy decisions on the protection of personal data (https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en) without the need to meet additional requirements;
- other countries, primarily on the basis of Standard Contractual Clauses with additional security measures (technical and legal) or Binding Corporate Rules or pursuant to Article 49(1)(c) of GDPR, if the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the Controller and a User outside the EEA.
§ 3. Processing of Personal Data of Users and other persons
- Personal data of Users and other persons interacting with the Controller or the Users can be processed by the Controller:
- in order to perform the contract concluded with the Controller for the provision of services by electronic means within the Platform- then the legal basis for the processing of personal data is the necessity of the processing for the performance of the contract (Article 6(1)(b) of GDPR);
- in order to provide geolocation data such as information about the GPS location of the User’s vehicle, the registration number of the localized vehicle and the ignition status (if available) – the legal basis for processing is consent (Article 6(1)(a) of GDPR);
- in order to establish contact and enable the use of services provided within the Platform – the legal basis of the processing is the Controller’s legitimate interest (Article 6(1)(f) of GDPR);
- in order to comply with statutory obligations incumbent on the Controller, resulting in particular from tax and accounting regulations – the legal basis of processing is a legal obligation (Article 6(1)(c) of GDPR);
- for analytical and statistical purposes, including improving the Platform functionalities applied – the legal basis of the processing is the Controller’s legitimate interest (Article 6(1)(f) of GDPR) consisting of conducting analyses of Users’ activities on the Platform, as well as of their preferences in order to improve the applied functionalities;
- in order to establish and pursue claims or defend against claims – the legal basis of the processing is the Controller’s legitimate interest (Article 6(1)(f) of GDPR);
- for technical and administrative purposes, to ensure the security of the Controller’s ICT systems and to manage these systems – in this regard, the legal basis of the processing is the Controller’s legitimate interest (Article 6(1)(f) of GDPR);
- for direct marketing purposes – in this case, the legal basis for the processing is also the legally legitimate interest pursued by the Controller or by a third party (Article 6(1)(f) of GDPR).
- Providing personal data by the User is voluntary but necessary in order to provide electronic services by the Controller within the Platform.
- The Controller processes or may process the following personal data:
- name and surname,
- e-mail address,
- IP address,
- telephone numbers,
- series and number of identity document,
- VAT identification number (e.g. NIP),
- registered or business address,
- professional entitlements and qualifications,
- geolocation data,
- data collected during interaction with the Controller or its representatives through electronic communication.
- The recipients of personal data processed by the Controller are or may be:
- persons authorized by the Controller to process data within the Controller’s enterprise;
- entities providing the Controller with IT, accounting, HR, legal and tax advisory services, as well as advertising, courier, postal, personal and property security and cleaning services – in particular on the basis of contracts on entrustment of personal data processing;
- other Users to whom the Controller grants access to the Platform- in accordance with the provisions of GCTC;
- public administration bodies and entities performing public tasks or acting on behalf of public administration bodies, as well as judicial authorities – within the limits of their rights provided by provisions of law.
- The Controller processes the Users’ personal data for the duration of the legal relationship with the User and the time of the limitation period, however, not longer than 6 years. The Controller processes personal data of other persons for a period not longer than 6 years.
- The Controller does not use systems used for profiling and automated decision-making.
- The Controller declares that it may use tools designed to analyse traffic on the Platform, such as Google Analytics and other similar tools.
- The Controller reserves the right to use anonymized geolocation data for analytical and statistical purposes, serving the development of services offered by the Controller.
§ 4. Rights of the data subject
- Persons whose data is processed by the Controller are entitled to:
- the right of access to their personal data and the right to correct it;
- the right to supplement, update, rectify, transfer and request restriction of processing as well as erasure of personal data;
- the right to object to the processing of personal data.
- In order to access, correct, supplement, update, rectify, limit processing, transfer, delete and object to the processing of one’s personal data, please send your request to the e-mail address of the Controller: firstname.lastname@example.org or in writing to the address: ul. Irysowa 1, 55-040 Bielany Wrocławskie.
- The data subject shall also have the right to lodge a complaint with the President of the Personal Data Protection Office if the Controller does not process personal data lawfully.
§ 5. Cookies
- The Platform may use two basic types of Cookies:
- session cookies – these are temporary files that are stored on the User’s Device until leaving the Platform or switching off the Software;
- permanent – these are files stored on the User’s Device for the period specified in the parameters of the Cookies or until they are deleted by the User.
- The Platform may use all or some of the following types of Cookies:
- “essential”, which enable the use of the Platform,
- “performance” which allows the collection of information about the manner of using the Platform;
- “functionality”, which enable retention of User-selected settings and personalization of the User interface, e.g. through language, font size, appearance of the Platform;
- “advertising”, which make it possible to provide Users with advertising content more tailored to their interests.
- Currently, the Platform uses the following types of Cookies:
KC_RESTART Essential Session Owned (Keycloak) A cookie to restore the user session, if active, when the site is restarted. Cancelled at the end of the session AUTH_SESSION_ID Essential Session Owned (Keycloak) A cookie that allows a user session to be assigned to a specificn Keycloak instance for consistent routing of communication within the session. Cancelled at the end of the session
The solutions used within the Platform are safe for the Devices of the Users who use the Platform.
The User may, at any time, change their Cookie settings. These settings can be changed, in particular, in such a way as to block the automatic handling of Cookies in the settings of the Internet browser, or inform on their placement on the User’s Device each time. In the event of restricting or disabling access of Cookies to the Device, use of the Platform may be impaired and some functionalities that require Cookies may be disabled. Detailed information about the possibility and methods of using Cookies is available in the Software settings.
§ 6. Use of technologies monitoring User activity
- The platform uses social plugins, which are tools allowing connection to popular social networks. These plugins allow the browser of a User visiting the Platform to retrieve content from the plugin provider and transmit data about the User, including personal data, to that provider.
- The following social plugins are currently in use:
- Facebook Ireland Ltd. – On the Platform, there are “Like” and “Share” plugins to link to Facebook and a plugin that links directly to Instagram. By using one of the aforementioned plugins, the User logs in to Facebook or Instagram respectively, which have different privacy policies than the Platform. You can read them by using the link: https://pl-pl.facebook.com/privacy/explanation or for information on plugins: https://pl-pl.facebook.com/help/203587239679209
- LinkedIn Ireland Unlimited Company – there is a plugin on the Platform that allows referring to LinkedIn and sharing a post on it. By using such a plugin, the User logs in to the aforementioned portal, which has different privacy policies than the Platform. You can read them by using the link: https://www.linkedin.com/legal/privacy-policy
§ 7. Final provisions
- The Platform may contain links to other websites, such as those of advertisers or telematic service providers. Such websites operate independently of the Controller and are in no way supervised by the Controller. These websites may have their own privacy policies and regulations, which we recommend that you read.