Privacy policy

at REAS Spółka z ograniczoną odpowiedzialnością Spółka komandytowa with its registered office in Warsaw

  1. Postanowienia ogólne
    1. The controller of personal data is REAS Spółka z ograniczoną odpowiedzialnością Spółka komandytowa with its registered office in Warsaw, at Belwederska 9 lok. 103, 00-761 Warszawa, entered into the Register of Entrepreneurs of the National Court Register maintained by the District Court for the capital city of Warsaw in Warsaw, 13th Commercial Division of the National Court Register, under KRS number 0000305792, Tax Identification Number (NIP): 5213486868, REGON statistical number: 141423139, e-mail address: rodo@reas.pl telephone number: +48 22 380 21 00 (hereinafter referred to as the "Controller").

    2. This Privacy Policy defines the rules of processing and protection of personal data of the Controller’s clients and contractors obtained in connection with any cooperation of the Controller with these persons (hereinafter referred to as the "Clients"). This Privacy Policy is also an informational document concerning the processing of personal data of the Clients by the Controller. The Clients, as defined in this Policy, are also understood as employees and representatives of the Controller’s clients and contractors, whose data are available to the Controller.

    3. In particular, the Clients within the framework of this Privacy Policy are:

      1. clients and contractors of the Controller who are natural persons;

      2. employees and other natural persons acting on behalf of the Controller’s clients and contractors;

      3. natural persons using or intending to use the newsletter service provided by the Controller (hereinafter referred to as the "Newsletter") available on the website of the Controller https://www.reas.pl (hereinafter referred to as the "Website").
    4. Processing of personal data at the Controller’s premises is performed in accordance with the applicable provisions of Polish and European laws, including in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (Official Journal of the European Union No 119, p. 1, hereinafter referred to as the "GDPR").
  2. Types of processed personal data

    1. In cooperation with the Clients, the Controller processes the following personal data of the Clients:

      1. first name and surname / company / position
      2. date of birth;
      3. contact telephone number;
      4. e-mail address;
      5. address: street, house number and apartment number, postcode, town, country;
      6. Tax Identification Number (NIP);

      7. IP number of the computer or another device with the access to the Internet.
    2. The provision of the personal data indicated in points 2.1.1 to 2.1.6 above is entirely voluntary. Each Client is entitled to the rights set forth in this Privacy Policy with respect to their personal data, in accordance with the applicable provisions of law.

    3. Personal data specified in point 2.1.7 above is collected automatically when the Controller’s website is visited. These data are stored in a log file on the server. These data are collected for technical reasons. These data may be processed in connection with other personal data only if the Client consents to the processing of his/her personal data.
    4. In order to provide the Newsletter service, the Client shall provide the data specified in items 2.1.1 and 2.1.4 above. Providing such personal data is necessary to use the Newsletter service – the Newsletter service will not be provided unless these data are shared by the Client.
  3. Purposes of personal data processing
    1. The personal data of the Clients are processed by the Controller in order to establish and maintain business relations with the Clients and to provide the Newsletter service, including (but not limited to) the following purposes:
      1. to conclude, perform or terminate the agreement with the Client, including (in particular) taking action prior to the conclusion of the agreement or the provision of services or goods;
      2. to establish and maintain current business contacts with the Clients, including (in particular) ensuring effective customer service;
      3. to consider complaints or claims made by the Clients;
      4. to fulfil legal obligations incumbent on the Controller, including those concerning e.g. tax settlements;
      5. to provide the Newsletter service available on the Website.
    2. Moreover, personal data of Clients may be processed for marketing purposes related to the Controller’s own products and services or for other purposes to which the Client consents within the framework of cooperation with the Controller.
    3. The Controller shall use automated decision making, including profiling, based on the following principles:
      1. If a person receives a mailing and uses a link from this mailing, he or she shall be automatically assigned a label in the database confirming his or her interest in this particular content.
      2. In the event of a subscriber downloading a newsletter with certain content or viewing certain subpages of the Website, a label may be automatically assigned to the subscriber in the database to confirm his or her interest in this particular content.
      3. On the basis of the labels described in paragraphs 3.3.1 and 3.3.2, the person whom the data apply to may be offered the content that matches his or her interests.
  4. Basis for personal data processing
    1. The provision of personal data by the Clients is voluntary, and in certain situations it may be necessary in order to receive the services provided by the Controller.
    2. The processing of personal data by the Controller shall be based on the provisions of law, i.e. in particular when:
      1. It is necessary for the performance of the contract or for taking pre-contractual actions;
      2. it is necessary to fulfil the legal obligation of the Controller (e.g. tax obligation);
      3. it is necessary for the purposes of the Controller’s justified interest (e.g. marketing the Controller’s own products or services, seeking compensation in legal proceedings).
    3. Moreover, the processing of personal data by the Controller takes place on the basis of the consents provided by the Clients, including e.g. as part of the procedure of using the Newsletter service.
    4. Each Client shall have the right to withdraw the consent to the processing of personal data at all times. The withdrawal of the consent shall not affect the lawfulness of the processing carried out on the basis of the consent given prior to its withdrawal, nor shall it affect the processing of personal data on the basis different than the consent of the Client.
    5. Only the Clients who are aged 16 and over may give their consent on their own behalf. In the case of persons under 16 years of age, the consent of their parents or legal guardians is required.
  5. Period of data retention
    1. The Clients’ personal data shall be stored for the period necessary to achieve the purposes for which these data are processed, including (in particular) for a period:
      1. that is needed to take pre-contractual action to conclude the contract;
      2. of the performance of the agreement concluded with the Controller and the period during which the Client or the Controller are entitled to any rights or claims related to the performance of the agreement (including the period of limitation of claims and one year after the expiration of the limitation period);
      3. of sending the Newsletter and the period of limitation of claims under the Newsletter service and one additional year after the expiration of the period of limitation;
      4. of compliance with the statutory requirements imposed on the Controller.
    2. After the expiry of the data retention period, the personal data shall be immediately deleted by the Controller, with the exception of personal data used for direct marketing purposes – their processing shall continue until the Client objects to the processing of the data.
  6. Recipients of personal data
    1. The Clients’ personal data may be transferred to the following categories of recipients:
      1. the persons authorized by the Controller and employed by the Controller or cooperating with the Controller on the basis of civil law agreements;
      2. the entities processing personal data on commission of and on behalf of the Controller and authorized persons employed at such entities (e.g. services of external companies, subcontractors, legal advisors, financial or accounting advisors, IT service providers, etc.);
      3. government agencies or other public entities so that the legal requirements are met.
    2. The transfer or provision of personal data of the Clients shall be carried out with respect to the rights of the Clients and in accordance with the applicable provisions of law.
  7. Protective means of personal data
    1. The Controller protects the personal data of the Clients against unauthorised access of third parties as well as provides organisational and legal measures in accordance with the applicable law, aimed at guaranteeing the confidentiality of the personal data of the Clients and the use of the data in a manner preventing unauthorised access.
    2. The Controller shall implement and apply appropriate technical solutions aimed at the protection of the Clients’ personal data. In particular, the Controller shall apply the highest quality technical and IT security measures, as well as physical security measures.
  8. Clients’ rights regarding personal data
    1. Each Client may lodge a complaint regarding the processing of his or her personal data.
    2. Each Client also has the right:
      1. to obtain confirmation from the Controller whether the personal data concerning the Client are being processed and, if so, to access them as well as the following information:
        1. the purposes of the processing;
        2. the categories of personal data;
        3. the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
        4. as far as possible – information on the planned period of retention of personal data and, if this is not possible, the criteria for determining such a period;
        5. the right to request the Controller to amend, erase or limit the processing of personal data concerning the person whom the data apply to, and to object such processing, and;
        6. the right to lodge a complaint with the supervisory authority;
        7. if the personal data have not been collected from the person whom the data apply to, all available information on their source;
        8. automated decision making, including profiling, and relevant information on how such decisions are taken, as well as on the relevance and foreseeable consequences of such processing for the person whom the data apply to;
      2. to lodge a complaint with the supervisory authority;
      3. request the Controller to amend, without delay, any Client’s personal data which are incorrect; taking into account the purposes of processing, the Client shall also have the right to demand that the incomplete personal data be supplemented, including the submission of an
      4. not to be the subject of automated decision-making, including profiling;
      5. to raise an objection – for reasons relating to the Client’s specific situation – against the processing of personal data related to him/her being carried out in the cases specified in legal provisions;
      6. to demand from the Controller to delete any personal data concerning him/her ("the right to be forgotten") immediately if one of the following conditions is met:
        1. the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
        2. the Client has withdrawn their consent on which the processing has been based and hence there is no other legal basis for the processing;
        3. the Client objects to the processing and this objection is based on the applicable regulations;
        4. the personal data have been unlawfully processed;
        5. the personal data must be erased in order to comply with a legal obligation provided for by an EU law or by the law of a Member State which the Controller is subject to;

        6. the personal data were collected in connection with the provision of information society services to a child in accordance with the applicable legislation;

      7. to request the Controller to limit the processing of personal data when:
        1. the Client disputes the correctness of the personal data – for the period allowing the Controller to check the correctness of the data;

        2. the processing is unlawful and the Client objects to the deletion of their personal data and demands to limit their use;

        3. the controller no longer needs the personal data for the purpose of processing, but it is necessary for the Client to establish, assert or defend his/her claims;

        4. the Client has lodged an objection in accordance with the applicable regulations to the processing – until it is determined whether the legally justified grounds on the part of the Controller prevail over the grounds of the Client’s objection;

      8. to require the Controller to provide, in a structured, commonly used machine-readable format, the personal data related to the Client that he or she has shared with the Controller and to send such data to another Controller without any obstruction from the Controller, if:
        1. the processing is carried out on the basis of a consent or on the basis of a contract; and

        2. the processing is carried out automatically.

  9. Complaint procedure
    1. A complaint may be filed:
      1. in writing – to the address of the Controller’s registered office, i.e. REAS Spółka z ograniczoną odpowiedzialnością Spółka komandytowa with its registered office in Warsaw, ul. Belwederska 9 lok. 103, 00-761 Warszawa;

      2. in an electronic form – to the e-mail address: rodo@reas.pl.

    2. The complaint should include at least the following:
      1. an indication of how the personal data breach has occurred and what it is about;

      2. an indication of data enabling to inform about the manner of handling the complaint.

    3. If one of the demands referred to in point 8.2 above is included, the complaint should contain:
      1. the content of the request;

      2. if necessary – the justification of the request;

      3. an indication of data enabling to inform about the manner of handling the complaint.

    4. The Controller may ask the complainant to provide additional information if it is necessary to handle the complaint or the request.

    5. If one of the demands referred to in point 8.2 above is included, it shall be handled in accordance with the provisions concerning the complaint procedure. This being the case, the Controller may ask the complainant to prove their identity in order to verify whether this person is entitled to lodge such a request.

    6. The complaint shall be handled immediately, but not later than within 14 days from the date of its filing.

    7. If the complaint requires additional proceedings, the time limit for handling the complaint may be extended.

    8. At each stage, the complainant may obtain information from the Controller on the status of the complaint.

    9. Immediately after the complaint has been investigated, the Controller shall inform the complainant about the manner in which it has been considered and about the actions taken in relation to the complaint.

    10. The Controller communicates with the complainant in an electronic form –  to the e-mail address provided by the complainant. If the complainant fails to provide an e-mail address, the Controller shall communicate with the complainant in writing.

    11. The failure to respond to the complaint within 30 days from the date of its filing shall mean that the complaint has been accepted. If the Controller fails to take action related to the Client's complaint, the Controller shall immediately –  within one month from receiving the request at the latest – inform the person whom the data apply to  about the reasons for not taking action and about the possibility of filing a complaint with the supervisory authority and an option to exercise legal remedies before the court.

    12. In the complaint is found to have resulted in a breach of personal data protection, the Controller shall take the actions that are described in the applicable provisions of law.

      .
  10. Cookies policy
    1. On the Website, the Controller uses the mechanism of so-called "cookies", i.e. IT data, in particular the text files stored by servers on the Client's terminal device, which the servers can access each time they are connected to this terminal device.
    2. By default, the web browsing software (web browser) allows cookies to be stored on the Clients’ devices. At any time, the Clients may change the cookie settings, in particular to block the automatic handling of cookies by their web browser or to inform about creation of cookies every time a website is visited on the Client’s device. This change may result in difficulties related to how the Website works.
    3. The detailed information about the possibility and methods of using cookies is specified in the settings of web browsers.
    4. The majority of cookies are so-called session cookies, which are automatically deleted from a hard drive at the end of a session, i.e. when the user logs out or closes the browser window. Some cookies allow for the identification of the Client when he/she visits the website again, as such cookies are not automatically deleted.
    5. The Controller uses the cookie mechanism only for information purposes, in order to improve and facilitate the operation of the Website, to improve the appearance of the Website and to collect anonymous aggregated statistics on how the Clients use the Website, which is intended to help improve the functionality and content of the Website.
  11. Amendments to Privacy Policy
    1. This Privacy Policy shall be effective as of 25 May 2018.
    2. The Controller reserves the right to change this Privacy Policy for an important reason, in particular in the case of:
      1. the need to bring the Privacy Policy into line with the laws or decisions and rulings of courts or public authorities;
      2. changes in the data, including names, addresses, identification numbers, contained in the Privacy Policy;
      3. improvement of customer services.
    3. The Clients shall be informed of the change in the Privacy Policy by means of a notice published on the Website or by sending a notice of the change in the Privacy Policy to the Client’s e-mail address.
    4. The change of the Privacy Policy does not affect the processing of personal data carried out before the change has been introduced.
  12. Final provisions
    1. Any enquiries or issues related to the processing and protection of personal data should be sent to the Controller in writing, by e-mail or telephone – the contact details being:
      1. REAS Spółka z ograniczoną odpowiedzialnością Spółka komandytowa z siedzibą w Warszawie, ul. Belwederska 9 lok. 103, 00-761 Warszawa
      2. e-mail contact address: rodo@reas.pl
      3. contact telephone number: 22 380 21 00.
    2. On the Website, the Controller may place on the links enabling the Clients to go directly to other websites. This Privacy Policy does not cover the websites run by other entities that are independent of the Controller , and the Controller is not responsible for the processing of personal data by other entities running other websites.
    3. Should this Privacy Policy conflict with the provisions of generally applicable law on the protection of personal data, the Controller shall take steps to adapt this Privacy Policy to the requirements of applicable law – however, even in the period preceding such a change, the Controller shall apply the principles of personal data protection arising from these provisions.