Privacy Policy

  1. This Privacy Policy sets out the rules for the processing of personal data obtained through polonesia.pl (hereinafter referred to as: the ‘Website’).
  2. The owner of the website as well as the Data Controller is Polonesia Language School -Magdalena Lewandowska-Boczkowska, hereinafter referred to as the Controller.

  3. The personal data collected by the Controller through the Website is processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), also known as the GDPR.

  4. The Controller shall make every effort to respect the privacy of Customers visiting the Website.

 
  • 1 Type of data processed, purposes and legal basis
  1. The Controller collects information concerning natural persons who perform a legal transaction not directly related to their activity, natural persons who conduct a business or professional activity on their own behalf, and natural persons who represent legal persons or organisational entities which are not legal persons, but to which the law confers legal capacity, which conduct a business or professional activity on their own behalf, hereinafter collectively referred to as Customers.
  2. Customers’ personal data is collected in the event of:

the use of the contact form service on the Website for the performance of the contract, which is provided electronically. Legal basis: necessary for the performance of a contract for the provision of the contact form service (Article 6(1)(b) of the GDPR).

  1. When using the contact form service, the Customer provides the following data:

– email address

– first name and last name

– phone number

  1. During the use of the Website, additional information may be collected, in particular: the IP address assigned to the Customer’s computer or the external IP address of the Internet provider, domain name, browser type, access time, operating system type.
  2. Navigation data may also be collected from Customers, including information about links and references they choose to click on or other actions they take on the Website. Legal basis: legitimate interest (Article 6(1)(f) of the GDPR) to facilitate the use of electronically provided services and to improve the functionality of these services.
  3. The provision of personal data to the Controller is voluntary.
  • 2 To whom is the data made available or entrusted and how long is it stored?
  1. The Customer’s personal data is transferred to the service providers used by the Controller to operate the Website. Service providers to whom personal data is transferred, depending on the contractual arrangements and circumstances, are either subject to the instructions of the Controller as to the purposes and means of processing such data (processors) or determine the purposes and means of processing themselves (controllers).

1.1. Processors. The Controller uses providers who process personal data only upon the instruction of the Controller. These include, but are not limited to, providers of hosting services, accounting services, providers of marketing systems, systems for analysing Website traffic, systems for analysing the effectiveness of marketing campaigns.

1.2.  Controllers. The Controller uses providers who do not act solely upon instructions and determine the purposes and uses of Customers’ personal data themselves. They provide electronic payment and banking services.

  1. Location. Service providers are mainly based in Poland and in other countries of the European Economic Area (EEA).
  2. Customers’ personal data is stored:

3.1. Where the basis for the processing of personal data is consent, then the Customer’s personal data shall be processed by the Controller as long as the consent is not revoked, and after revocation of the consent – for a period of time corresponding to the period of limitation of claims that the Controller may raise and that may be raised against the Controller. Unless otherwise provided by a specific provision, the limitation period is six years, and three years for claims for periodic benefits and claims relating to the conduct of business.

3.2. Where the basis for data processing is the performance of a contract, then the Customer’s personal data shall be processed by the Controller for as long as it is necessary for the performance of the contract, and thereafter, for a period corresponding to the period of limitation of claims. Unless otherwise provided by a specific provision, the limitation period is six years, and three years for claims for periodic benefits and claims relating to the conduct of business.

  1. If a request is made, the Controller shall make personal data available to authorised state authorities, in particular to organisational units of the Public Prosecutor’s Office, the Police, the President of the Personal Data Protection Office, the President of the Office of Competition and Consumer Protection or the President of the Office of Electronic Communications.
 
  • 3 Cookie mechanism, IP address
  1. The Website uses small files, known as cookies. They are stored by the Controller on the terminal equipment of the Website’s visitor, if the Internet browser allows it. A cookie usually contains the name of the domain from which it originated, its ‘expiry time’ and an individual random number identifying the cookie. The information collected through such files helps to adapt the products offered by the Controller to the individual preferences and actual needs of the Website’s visitors.
  2. The Controller uses two types of cookies:

2.1. Session cookies: when the session of a particular browser ends or the computer is switched off, the information stored is deleted from the device’s memory. The mechanism of session cookies does not allow any personal data or any confidential information to be collected from Customers’ computers.

2.2. Persistent cookies: these are stored in the memory of the Customer’s terminal equipment and remain there until they are deleted or until they expire. The mechanism of persistent cookies does not allow any personal data or any confidential information to be collected from Customers’ computers.

  1. The Controller uses its own cookies for:

3.1. analysis and research, as well as viewing activity audit, and in particular to create anonymous statistics which help to understand how Customers use the Website, so as to improve its structure and content.

  1. The Controller uses external cookies for:

4.1. presentation on the information pages of the Website of a map indicating the location of the Controller’s office by means of maps.google.com (external cookies controller: Google Inc., based in the USA).

  1. The cookie mechanism is safe for the computers of Customers visiting the Website. In particular, it is not possible for viruses or other unwanted software or malware to enter the Customers’ computers via this route. However, Customers have the option in their browsers to restrict or disable access of cookies to their computers. If this option is used, the use of the Website will be possible, except for functions that by their nature require cookies.
  2. The Controller may collect IP addresses of Customers. An IP address is a number assigned to the computer of the Website’s visitor by the provider of Internet services. The IP number allows access to the Internet. In most cases, it is assigned to a computer dynamically, i.e. it changes each time the computer connects to the Internet, and is therefore commonly treated as non-personal identifying information. The IP address is used by the Controller to diagnose technical problems with the server, to create statistical analyses (e.g. to determine from which regions we record the highest number of visits), as information useful for administration and improvement of the Website, as well as for security purposes and possible identification of server-overloading, unwanted automatic programmes for browsing the contents of the Website.
  • 4 Rights of data subjects
  1. Right to withdraw consent – legal basis: Article 7(3) of the GDPR.

1.1. The Customer has the right to withdraw any consent he/she has given.

1.2. The withdrawal of consent is effective from the moment of withdrawal.

1.3. The withdrawal of consent does not affect the processing lawfully carried out by the Controller prior to its withdrawal.

1.4. The withdrawal of consent does not entail any negative consequences for the Customer, but it may prevent further use of services or functionalities that the Controller can legally provide only with consent.

  1. Right to object to data processing – legal basis: Article 21 of the GDPR.

2.1. The Customer has the right to object at any time – on grounds relating to his/her particular situation – to the processing of his/her personal data, including profiling, if the Controller processes the Customer’s data on the basis of a legitimate interest, such as marketing of the Controller’s products and services, keeping of statistics on the use of particular functionalities of the Website and facilitation of the use of the Website, as well as satisfaction surveys.

2.2. Opting out, in the form of an email, of receiving marketing communications about products or services will imply the Customer’s objection to the processing of his/her personal data, including profiling for these purposes.

2.3. If the Customer’s objection proves to be valid, the Controller has no other legal basis for the processing of personal data, the Customer’s personal data, to the processing of which the Customer has objected, will be deleted.

  1. Right to erasure (‘right to be forgotten’) – legal basis: Article 17 of the GDPR.

3.1. The Customer has the right to request the erasure of all or some personal data.

3.2. The Customer has the right to request the erasure of personal data if:

3.2.1. the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;

3.2.2. the Customer has withdrawn specific consent, to the extent that the personal data was processed on the basis of his/her consent;

3.2.3. the Customer has objected to his/her data being used for marketing purposes;

3.2.4. the personal data has been processed unlawfully;

3.2.5. the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject;

3.2.6. the personal data has been collected in relation to the offer of information society services.

3.3. Despite a request for erasure of personal data, following an objection or withdrawal of consent, the Controller may retain certain personal data to the extent that the processing is necessary for the establishment, assertion or defence of claims, as well as to demonstrate compliance with a legal obligation requiring processing under Union or Member State law to which the Controller is subject. This applies in particular to the following personal data: first name, last name, email address, which are stored for the purpose of handling complaints and claims relating to the use of the Controller’s services, or, additionally, residence address/correspondence address, order number, which are stored for the purpose of handling complaints and claims relating to the concluded sales contracts or the provision of services.

  1. Right to restriction of processing – legal basis: Article 18 of the GDPR.

4.1. The Customer has the right to request the restriction of the processing of his/her personal data. The submission of a request, pending its resolution, prevents the use of certain functionalities or services, the use of which will involve the processing of the data covered by the request. The Controller will also not send any communications, including marketing communications.

4.2. The Customer has the right to request the restriction of the use of personal data in the following cases:

4.2.1. when the Customer questions the accuracy of his/her personal data, in which case the Controller restricts the use of his/her personal data for a period enabling the Controller to verify the accuracy of the data, but for no longer than 7 days;

4.2.2. when the processing of the data is unlawful and the Customer requests the restriction of its use instead of erasing the data;

4.2.3. when the personal data is no longer necessary for the purposes for which it was collected or used, but is still required by the Customer to establish, assert or defend claims;

4.2.4. when the Customer has objected to the use of his/her data, in which case the restriction will be for the time necessary to verify whether, due to the particular situation, the protection of the Customer’s interests, rights and freedoms overrides the interests pursued by the Controller in processing the Customer’s personal data.

  1. Right of access to data – legal basis: Article 15 of the GDPR.

5.1. The Customer has the right to obtain confirmation from the Controller as to whether or not personal data concerning him/her are being processed and, where that is the case, the Customer has the right to:

5.1.1. access his/her personal data;

5.1.2. obtain information about the purposes of the processing, the categories of personal data processed, the recipients or categories of recipients of such data, the envisaged period of storage of the Customer’s data or the criteria used to determine that period (where it is not possible to determine the envisaged period of processing), the Customer’s rights under the GDPR and the right to lodge a complaint with a supervisory authority, the source of such data, the automated decision-making, including profiling, and the safeguards applied in connection with the transfer of such data outside the European Union;

5.1.3. obtain a copy of his/her personal data.

  1. Right to rectification of data – legal basis: Article 16 of the GDPR.

6.1. The Customer has the right to request from the Controller the immediate rectification of inaccurate personal data concerning him/her. Taking into account the purposes of the processing, the Customer, who is the data subject, has the right to have incomplete personal data completed, including by means of providing a supplementary statement, by addressing a request to the email address in accordance with §6 of the Privacy Policy.

  1. Right to data portability – legal basis: Article 20 of the GDPR.

7.1. The Customer has the right to receive his/her personal data that he/she has provided to the Controller and then transmit it to another personal data controller of his/her choice. The Customer also has the right to request that the personal data be transmitted by the Controller directly to such a controller, where technically feasible. In this case, the Controller will transmit the Customer’s personal data in the form of a file in csv format, which is a commonly used, machine-readable format that allows the data received to be transmitted to another personal data controller.

  1. In the event of the Customer’s assertion of an entitlement under the aforementioned rights, the Controller will either comply with the request or refuse to comply with it immediately, but no later than within one month of receiving it. However, if – due to the complexity of the request or the number of requests – the Controller is unable to comply with the request within one month, it will comply with the request within a further two months, while informing the Customer in advance – within one month of receiving the request – of the intended extension of the deadline and the reasons for it.
  2. The Customer may lodge complaints, queries and requests with the Controller regarding the processing of his/her personal data and the exercise of his/her rights.
  3. The Customer has the right to lodge a complaint with the President of the Personal Data Protection Office regarding a breach of his/her data protection rights or other rights granted under the GDPR.
 
  • 5 Changes to Privacy Policy
  1. The Privacy Policy is subject to change, of which the Controller is under no obligation to inform.
  2. For questions related to the Privacy Policy, please contact: kontakt@polonesia.pl
  3. Last modified: 20.10.2023