Privacy protection rules

This Privacy Policy determines the rules of processing and ensuring the safety of your personal data, including user data on the website www.szkolastok.pl; further referred to as the “Website” – in connection with your use of functionalities or services available via the Website, data processed by electronic means of communication (including e-mail) or legal relationship between the “Stok” Ski School and data subject (person who has the parental authority or parental care of a child, who gave his/her consent or approved it – in the scope of processing personal data of a child under 16) and performance of the legal relationship as well as obligations set out in legal regulations.

According to the GDPR, personal data means any information relating to an identified or identifiable natural person (that is a given adult or child), like, for example, name, surname or identification number.

Personal Data Controller explains that your data are processed pursuant to provisions of law, including:

  • provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation; referred to in this document as: “GDPR”);
  • provisions of the Act of 16 July 2004 – Telecommunications Law;
  • provisions of the Act of 10 May 2018 on the protection of personal data;
  • provisions of the Act of 18 July 2002 on rendering electronic services.

having regard, amongst others, to the provisions of the Act of 23 April 1964 – the Civil Code and the Act of
4 February 1994 on copyright and derivative rights.

At the same time, the Controller ensures the protection of your personal data by applying appropriate organisational and technical solutions which prevent third-party intrusion in users’ privacy.
When processing data, the Data Controller, taking into consideration provisions of Art. 5 of the GDPR, conforms to the following rules: compliance with the law, transparency and reliability, purpose limitation, data minimisation, correctness and storage limitation, integrity, confidentiality and also adequacy with the purpose of the processing.
The Website is used by means of a secure SSL protocol which significantly increases data protection on the Internet (a special standard for transmission of data via the Internet where transmission is encrypted, contrary to standard transmission which is made in plain text).

Data Controller

The Controller of your personal data is Maciej Kolasa who operates under the business name Kolasa Maciej Szkoła Narciarska “STOK”, address: ul. Długa 128, 34-400 Nowy Targ, NIP [Tax ID No.]: 7351046876,
REGON [National Business Registry Number]: 492719017, e-mail: [email protected], tel.: +48 (18) 26 54 280.
The Controller makes his best efforts to prevent a breach of personal data protection which is defined in the GDPR as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Personal data processing

Your personal data is processed by the Controller in accordance with provisions of law
for the following purposes – depending on the legal relationship between the Controller and data subject, as well as the type of Website functionality or service used by a given data subject:

  1. A. respectively, pursuant to Art. 6(1)(a) of the GDPR:
    • in cases where consent is required for personal data processing;
    • in order to use an image of a person pursuant to Art. 81 of the Act on copyright and related rights, in so far as the consent is required in accordance with provisions of law;
  2. B. respectively, pursuant to Art. 9(2)(a) of the GDPR
    • if they are indispensable to ensure a personal service required by the customer;
  3. C. respectively, pursuant to Art. 6(1)(b) of the GDPR:in order to use the Website;
    • in order to conclude a distance contract with the Controller or take actions required by the data subject before concluding a distance contract with the Controller;
    • in order to implement an agreement (for the provision of services);
    • in order to implement an agreement; including processing of an account and solving technical problems, and to contact the user in connection with the performance of the agreement;
  4. D. respectively, pursuant to Art. 6(1)(c) of the GDPR:
    • in order to comply with legal obligations resulting from provisions which are generally applicable and incumbent upon the Controller: including accounting and tax purposes; to meet complaint obligations (processing of complaints) relating to any agreements made via the Website; to pass information upon request from a state authority on the basis of special rulings, for example, police, prosecutor’s office or court;
  5. E. respectively, pursuant to Art. 6(1)(d) of the GDPR:
    • to protect human life and health (reporting an accident to emergency services);
  6. F. respectively, pursuant to Art. 6(1)(d) of the GDPR, having regard to the legitimate interest of the Controller in the form of the following purposes:
    • in order to possibly identify, pursue claims against data subjects or defend them against claims (including debt collection, conducting judicial proceedings and resulting executive proceedings);
    • for archiving purposes to protect information, that is agreements and payment documents, if present (to fulfil the obligation of accountability resulting from the GDPR);
    • for analytical purposes, that is tailoring services to the needs of users; to optimise products on the basis of user feedback, user interests, technical logs of applications; to improve the customer service process on the basis of functioning of sales and after-sales support, including complaints (the information on statistics kept by the Controller enables him to improve his business activities);
    • in order to offer the Controller’s products and services directly to users (direct marketing);
    • in order to offer the Controller’s products and services directly to users ([direct] marketing) or to directly offer products and services (marketing) of companies cooperating with the Controller (Controller’s partners) using electronic means of communication – but these activities, due to other applicable provisions, especially the Telecommunications Law and Act on rendering electronic services, are carried out only after obtaining relevant approvals, provided that such approvals are obtained and required by law.
    • for conducting user satisfaction surveys and determining the quality of service;
    • to ensure security and prevent malpractice and fraud;
    • to organise promotional campaigns, loyalty programs and campaigns which may be joined by users;
    • in order to handle notifications sent through the contact form and other applications,
    • including ensuring of accountability, provided that given forms are available on the Website in a given moment (for a legitimate purpose of responding to notifications and enquiries made via the contact form or otherwise, including storage of such communications and replies to them to preserve the principle of accountability);
    • for the handling of correspondence.Pursuant to Art. 81(2)(2) of the Copyright Act, reproduction of an image of a person constituting just a detail of the whole, such as gathering, landscape or public event, does not require any consent – thus for this purpose, under the aforementioned provisions of law and on the basis of a legitimate interest of the “Stok” Ski School, the image may be reproduced. If the location of the provision of services or place of business of the STOK Ski School is under video surveillance (such places are properly marked), data processing is carried out to protect the life and health of customers and to protect their property.As regards the personal data of the Website user, they come exclusively from user activity on the Website run by the Controller, and their scope depends on the type of services and functionalities used by the user and the type of services and functionalities which were/are/will be available on the Website during the mentioned activity of the user; therefore, only relevant and adequate data are stored, in compliance with the rules set out in the opening paragraph, and connected only with user’s activity and not going beyond it.

      As noted above, the data coming from Website users are connected with their activity on the Website; therefore, any and all data originating from Website users are gathered in two ways:

    • information provided by users on a voluntary basis – provision of such information takes place by completing registration and contact forms, provided that they are available on the Website;
    • where the provision of specific data is a precondition to conclude an agreement, and the category of such data (for example, e-mail) is properly described;
    • information gathered during the use of the Website – it includes:
      • information in server logs – servers of the Controller automatically save such data as website request sent by the user, date and time of the request and reply, device data (e.g. equipment type), browser type, browser language, type of operation system,
      • information downloaded by Google Analytics tool in the process of monitoring statistics of website visits,
      • IP address – each PC connected to the Internet has a unique number, that is IP; on its basis you can, for example, identify the country from which a given user connects to the Internet,
      • cookies sent to the user’s PC when visiting the Website;
      • web server logs – by collecting logs from the web server hosting operator, operating under the Website address.

Data recipients

Depending on the scope and aim of processed data, they may be provided – under provisions laid down by law – to other entities which will process them, within the purpose of the processing, respectively:

  1. A. in the case of provision by the Controller of other services than those provided by electronic means, but on the basis of a distance contract – to banks or entities operating an electronic payment system if settlements are necessary; to entities providing support, ordered by the Controller, to business activities carried out by the Controller for the purpose of executing an agreement; entities providing legal assistance – to exercise rights provided for under the law, to safeguard the rights and pursue contractual claims;
  2. B. in all cases, to state authorities or other entities entitled by virtue of law in order to carry out Controller’s obligations which are imposed by law, e.g. police, public prosecutor’s office or tax office;
  3. C. entities providing marketing services – to aid the Controller in the promotion of goods (services), organisation of promotional campaigns as well as loyalty programmes and campaigns;
  4. D. entities managing ICT systems and providing IT services – in the scope of ensuring correct functioning of the system, its updating, repairs, and introducing or improving functionalities;
  5. E. emergency services – in case of an accident;
  6. F. entities supporting the Controller’s business activities upon his order – including suppliers of external systems – to support, improve or develop the Controller’s business;
    if personal data are processed for a particular purpose, whilst respecting data processing rules specified in the GDPR and data retention period.

The data are shared with the external entities only within the legally allowed limits.

Data retention period

Personal data are stored for no longer than necessary for the execution of the objectives mentioned above – including proper functioning of Controller’s business, taking into account the limitation on the validity of claims and period justified by the obligation to keep accounting records in accordance with the provisions of law, legal provisions obliging the Controller to store documents (taking into account the limitation period of the tax obligation), whilst observing the accountability principle. Except for special regulations provided for under the law, data will be processed in such a way that:

a) data included in agreements, proxies and annexes to these agreements are stored for no longer than three months after the expiration of the limitation period for contractual claims;

b) data provided by means of forms available on the Website (or in tangible form) are stored for the period of three years in order to preserve the accountability principle;

c) documents connected with warranty and complaints will be stored for one year from the expiration of the warranty period or handling of a given complaint, whichever is later, unless the period mentioned in letter “a” expires first out of consideration for the limitation period for the claims;

d) data for marketing purposes in the case of data processing on the basis of consent in accordance with the applicable legal provisions – will be stored until the consent to store them is withdrawn or a similar claim with the applicable law is made); while in the case of processing of the data on the basis of Controller’s legitimate purpose – until an objection is made;

e) data provided on the basis of consent – will be stored until the consent is withdrawn (or a similar claim provided by law is made);

At the same time, the Controller reminds that, pursuant to Art. 118 of the Civil Code, unless otherwise stated in a special ruling, the limitation period is ten years, and for claims for periodic benefits and claims related to the running of business activities – the limitation period is three years. Pursuant to Art. 74(2)(4) of the Accountancy Law, accounting documents relating to fixed assets under construction, loans, borrowings and commercial contracts, claims filed in civil, criminal and tax proceedings – are stored for 5 years from the beginning of the year following the financial year in which the operations, transactions and procedures were completed, paid, settled or expired.

Rights with regard to data processing

Furthermore, the Controller informs the data subject:

a) about his/her right to demand from the Controller the access to his or her personal data, the right to rectification, deletion or restriction of the processing of the data, the right to object to the processing, as well as the right to data portability;

b) that in the case where the data are processed on the basis of a declaration of consent (legal basis: Art. 6(1)(a) or Art. 9(2)(a)) – the person giving such consent is entitled to withdraw such consent, at any time, without any impact on the lawfulness of the processing made on the basis of consent before its withdrawal;

c) that the provision of data is voluntary. Failure to provide the data needed to conclude a distance contract, which are also indispensable for tax settlement of the Controller’s business – that is failure to provide data marked as obligatory in order to conclude a distance contract through the Website may prevent the conclusion of such a contract (provision of such data is a precondition for the conclusion of the contract). Otherwise, the non-provision of the data (or a single datum) may hamper or prevent the proper provision of other functionalities or services available on
the Website. In some cases, the provision of data may be conditioned by the possibility to provide a personalised service upon customer’s request.

d) about the right to lodge a complaint with the supervisory body – the President of the Office for Personal Data Protection;

e) that the personal data will be deleted after expiration of the storage period – according to provisions of law;

f) that the personal data are not processed automatically (including profiling) in such a way that any decisions regarding the user might be taken as a result of the profiling, it would cause other legal effects or significantly affect the Website users in any other way. Within the scope of the business activities carried out through the Website, the Controller uses cookie files for the purpose of observing and analysing traffic on the Website. The Website does not automatically gather any information, with the exception of the information contained in the cookies. Information obtained in this way is used, for example, to: manage the Website; detect any possible security threats; study data about aggregate traffic of the Website users for statistical purposes, including the use of Google Analytics tools;

g) that he appointed a Data Protection Officer, who may be contacted at: [email protected] Data subjects can contact the Data Protection Officer on all matters related to the processing of their personal data and their rights under the GDPR;

h) that the Website may contain external links which allow its users to directly access other websites, or that when using the Website cookies from third parties may be stored on your device. These cookies may come, for example, from the following providers: Facebook, Twitter, Instagram, Google+ to make it possible for you to use these Website functionalities which are integrated with the mentioned providers. Each of these providers sets out its own cookie policy within the frames of its privacy policy; therefore, the Controller would like to underline that he cannot influence in any way these privacy policies and the use of cookies by these providers. For safety reasons, we recommend that each user, before using functionalities/resources offered by other websites, reads the regulations of these entities regarding the privacy policy and use of cookies, if they are provided, and if there is no access to them, to contact the administrators of these websites in order to obtain information in this regard.

Cookies

The Controller explains that the Website, pursuant to Art. 173 of the Telecommunications Law, uses cookies in the form of IT data, especially test files which are stored in the users’ terminal equipment. These files usually contain the name of the website from which they originate, their storage time on the end user’s device, as well as a unique number. Cookies are used to:

  • facilitate the use of the Website by the user;
  • identify the user in case of repeated connection of the Website with the device where the cookies are stored;
  • create statistics, which help us understand how the service users benefit from websites, which allows us to improve their structure and content;
  • adapt the web content to specific user’s preferences and optimise the use of websites which are tailored to users’ individual needs.

The Website uses the following cookies: session cookies which are stored in the user’s terminal equipment until logging out, leaving the Website or closing the browser’s persistent cookies – stored in the user’s terminal equipment for the time specified in cookie parameters or until they are deleted by the user; performance cookies – they collect information about how you use our Website; strictly necessary cookies – essential in order to use the services provided by the Website; functionality cookies – they allow the Website to remember the settings made by the user and to customise the user interface; own cookies – saved by our Website; third-party cookies – coming from a different site than the Website.
The Controller explains that the information from cookies is combined with the personal data of the Website user, and that it is not used to determine the user’s identity. The scope of automatically stored information depends on settings of the user’s web browser. It is therefore recommended that the user checks the settings of his/her browser to learn what type of information is automatically shared by the browser or to change these settings. For that purpose, the user may read the “Help” section of the used web browser.

The Controller also informs that it is possible to change the conditions of storage or receipt of cookies by changing web browser settings, for example:

Web browsers usually allow to save cookies in users’ terminal equipment by default. Thus, the Website users can make changes to the cookie settings.  Web browsers also allow deleting cookies and activating automatic blocking of cookies. Details of how to do so can be found in the settings or documentation of the used browser. However, should you decide to disable cookies used for authentication processes, security, maintenance and preferences, the use of the Website may be difficult and, in extreme cases, the lack of cookies may inhibit you from using the Website (or Website functionalities).

Moreover, the Controller explains that information on some activities of the Website users is logged in the server layer. These data are used solely to administer the site and to ensure the most efficient service of the hosting services provided. Viewed resources are identified through URL addresses. Moreover, the following data may be saved: public IP address of the PC from which a query is sent (this may be the user’s PC); customer’s workstation name – identification through http protocol, if possible; user name given during the authorisation process, query time, first line of http request, HTTP response status code, number of bytes sent by the server, URL address of the previously visited site (referrer link) – if taken to the Controller’s website via a link, information on the user’s web browser, information about errors that occurred in the implementation of the HTTP transaction. The above data are not associated with individual persons viewing the websites. The above data are used only for server administration.

Data processing control

The Controller shall make every effort to provide all means of physical, technical and organisational protection of personal data against their accidental or deliberate destruction, accidental loss, change, unauthorised disclosure, use or access, in accordance with all applicable provisions.

This Privacy Policy applies from 18 October 2018.