Privacy policy

Definitions

1. Administrator - MYWAY Travel Group Sp. z o.o. with its registered office at Al.Jana Pawła II 27, 00-867 Warsaw, KRS: 0001098067, REGON: 528270400, NIP: 5273106579.

2. Personal data - information about an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, by one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity, including device IP, location data, internet identifier and information collected through cookies and other similar technology.

3. RODO - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.

4. Policy - this Privacy Policy.

5. User - any natural person visiting the Site or using one or more of the services or functionalities described in this Policy, as well as any natural person whose personal data is processed by the Administrator, visiting the Administrator's premises or directing an enquiry to the Administrator in the form of an e-mail.

6. Website - the Internet service operated by the Administrator under the address mywaytravel.pl

 

Introduction

1. The purpose of this Policy is to set out the principles, processing and use of Users' personal data. The Policy also contains information on the rights of individuals in relation to the data they provide The legal basis for the Policy is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in relation to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, as well as the Personal Data Protection Act of 10 May 2018. (Journal of Laws 2018 item 1000). This Policy constitutes the Administrator's implementation of its obligations under Articles 12, 13 and 14 of the DPA.

2. The Policy applies to any website, application or service linking to this information, as well as to data provided through them, whether by telephone, email or in person at the Administrator's premises. Please note that when leaving the Administrator's website, the User enters an area where the Policy does not apply. The Administrator is not responsible for the privacy policy rules applicable to websites operated by other entities.

3. In connection with the Administrator's business activities and the User's use of the Website, the Administrator collects data to the extent necessary for the provision of the individual services offered, as well as information about the User's activity on the Website The detailed principles and purposes of the processing of Personal Data are described below.

 

Contact with the Controller and Data Protection Officer

For all matters relating to the processing of personal data, the Controller can be contacted at the above-mentioned registered office address or by e-mail at kontakt@mywaytravel.pl.

Purposes and legal bases for processing Personal Data

The Controller processes personal data in accordance with the profile of the activity, for the purposes indicated below. If, due to the law, the characteristics of the service or the necessity of its settlement, there is a need to process other personal data of data subjects, the Administrator may process them to the necessary extent.

Use of the Service

Personal data of all persons using the Website (including IP address or other identifiers and information collected through cookies or other similar technologies), are processed by the Administrator:

1. in order to provide services electronically in terms of providing Users with access to content collected on the Website - in which case the legal basis for the processing is the necessity of the processing for the performance of the contract (Article 6 1(b) RODO);

2. for analytical and statistical purposes, in which case the legal basis for the processing is the Administrator's legitimate interest (Article 6(1)(f) RODO), consisting of conducting analyses of Users' activities, as well as their preferences in order to improve the functionalities used and services provided;

3. for the purposes of possible establishment and investigation of claims or defence against claims - the legal basis for the processing is the legitimate interest of the Administrator (Article 6 1(f) RODO) to protect your rights.

The User's activity on the Website, including his/her personal data, are recorded in system logs (a special computer programme used to store a chronological record containing information on events and activities that concern the IT system used to provide services by the Administrator). The information collected in the logs is processed primarily for purposes related to the provision of services. The Administrator also processes them for technical, administrative purposes, for the purposes of ensuring the security of the IT system and the management of this system, as well as for analytical and statistical purposes - in this regard, the legal basis for processing is the Administrator's legitimate interest (Article 6(1)(f) RODO).

Sending commercial/marketing information

In the case of consent to receive marketing/trade information from the Administrator by e-mail and/or telephone, Personal Data is processed for the purpose of providing the aforementioned information.
The legal basis for the processing of the Personal Data is the Administrator's legitimate interest in relation to the consent given - Article 6(1)(f) RODO, consisting of the provision of the content requested by the User.

Contact form

The Administrator provides the possibility to contact him/her using electronic contact forms. The use of the form requires the User to provide personal data necessary to contact the User and respond to the enquiry. The User may also provide other data in order to facilitate the contact or handling of the enquiry. The provision of data marked as mandatory is required in order to receive and handle the enquiry, and failure to provide such data will result in the impossibility of service. The provision of other data is voluntary.
The legal basis for the processing of personal data is the legitimate interest of the Controller - Article 6(1)(f) of the RODO, which consists in providing service to the message and answering the resulting questions.

E-mail and traditional correspondence

When personal data contained in such correspondence is addressed to the Administrator by e-mail or by traditional mail not related to the services provided to the sender or to any other contract concluded with the sender, the personal data contained in such correspondence is processed solely for the purpose of communication and resolution of the matter to which the correspondence relates.
The legal basis for the processing is the legitimate interest of the Administrator (Article 6(1)(f) of the DPA) in carrying out correspondence addressed to it in connection with its business activities.

Telephone contact

When contacting the Administrator by telephone, on matters not related to the contract concluded or the services provided, the Administrator may request personal data only if it is necessary to handle the matter to which the contact relates.
The legal basis in this case is the legitimate interest of the Administrator (Article 6(1)(f) RODO) consisting of the need to resolve a reported matter related to his/her business activity.

Data collection within business contacts

In connection with business activities, the Administrator collects personal data, e.g. during business meetings or by exchanging business cards - for the purposes of initiating and maintaining business contacts.
Such personal data is processed in order to pursue the legitimate interest of the Administrator and its contractor (Article 6(1)(f) of the RODO) in terms of networking in connection with business activities.

Processing of personal data of the Administrator's clients or staff members/contractors

In connection with the conclusion of contracts in the course of its business activities, the Administrator obtains data from contractors/customers on the persons involved in the performance of such contracts (e.g. data of persons authorised to contact, executing the contract, data of persons representing the client/contractor, etc.). The extent of the data provided is in each case limited to the extent necessary for the performance of the contract and does not normally include information other than name and business contact details.
Such personal data is processed by the Administrator for:

1. the conclusion and performance of a contract, on the basis of necessity for the performance of the contract, i.e. where the processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract (Article 6 1(b) RODO);

2. resulting from the legitimate interests pursued by the Administrator, i.e. related to the identification of the parties, ensuring contact with the contractor, verifying that the person who contacts the Administrator is authorised to take action on behalf of the contractor as well as in connection with possible claims, handling of requests, archiving, ongoing contact (Article 6(1)(f) RODO);

3. related to the fulfilment of legal obligations, in particular tax, accounting, civil law (Article 6(1)(c) RODO).

 

Compliance with legal obligations imposed on the Administrator

The Administrator processes the Users' Personal Data in connection with the fulfilment of the legal obligations imposed on it, concerning, among other things, the keeping of accounts and accounting records, as well as the exercise of data subjects' rights.
Such personal data is processed on the basis of Article 6(1)(c). RODO - the processing is necessary for the fulfilment of a legal obligation incumbent on the Administrator.
 
Determining, pursuing and defending against claims

For the purposes of establishing, asserting and defending against claims, including the documentation of objections raised against the processing of personal data, the personal data of Users provided by them to the Administrator will be processed.
The legal basis for the processing of personal data is Article 6(1)(f). RODO, which allows the processing of personal data for the purpose of possible establishment, investigation or defence against claims, being the realisation of the legitimate interest of the Administrator.
 
Recipients of Personal Data

In connection with the conduct of activities that require the processing of personal data, personal data may be disclosed to external parties.
The recipients of the personal data entrusted to the Administrator by the data subjects are the following entities, to whom the personal data are transferred to the minimum extent necessary to fulfil the purpose(s) for which the data were obtained:

• authorised personnel of the Administrator, subcontractors and entities providing services to the Administrator (including IT and technical support services) who need to have access to the data in order to properly perform their duties;

• entities processing personal data on behalf of the Controller (e.g. accounting office, technical service providers, hosting providers, law firms);

• competent authorities authorised in accordance with the applicable legislation;

The Administrator declares that it does not sell, share or transfer the personal data collected for processing to other persons or institutions, except with the express consent or at the request of the data subjects, or at the request of state authorities authorised by law for the purposes of their proceedings or activities related to security or defence, for legally defined tasks carried out for the public good, when this is necessary to fulfil the legally justified purposes of the Administrator.
Transfer of personal data outside the European Economic Area (EEA) The level of protection of personal data outside the European Economic Area (EEA) differs from that provided by law For this reason, the Controller transfers personal data outside the EEA only when necessary and with an adequate level of protection, primarily by:

1. cooperation with processors of personal data in countries for which a relevant decision of the European Commission has been issued regarding the determination of an adequate level of protection for Personal Data;

2. use of standard contractual clauses issued by the European Commission

3. the application of binding corporate rules approved by the competent supervisory authority.

 

Period of processing of Personal Data

The Administrator shall process the personal data obtained for the period necessary to fulfil the purpose(s) for which they were provided. The duration of data processing is related to the purposes and grounds for processing, thus:

• Data processed on the basis of statutory requirements (e.g. taxation) will be processed for the period of time during which the law prescribes the retention of the data;

• Where the basis of the processing is the performance of a contract, in which case the data shall be processed by the Controller for as long as it is necessary for the performance of the contract;

• Data processed on the basis of the legitimate interest of the Controller will be processed until an objection is successfully lodged by the data subject or this ceases Data processed in order to assert or defend against claims will be processed for a period equal to the period of limitation of these claims;

• Data processed on the basis of consent will be processed until the data subject withdraws consent.
  The processing period may be extended if the processing is necessary for the establishment or assertion of claims or the defence against claims, and thereafter only if and to the extent required by law. After the expiry of the processing period, the data shall be irreversibly deleted or anonymised.

 

Rights of data subjects
The controller shall exercise the data subjects' rights relating to the processing of their personal data. In particular, each data subject shall have the right to:

• access to your personal data, including obtaining a copy of your personal data;

• rectification (correction) or completion of incomplete personal data;

• to request the erasure of personal data in cases provided for by law ("right to be forgotten");

• request the restriction of the processing of personal data;

• to object to the processing of personal data;

• where the processing of personal data is based on the legitimate interest of the Controller, the data subject shall have the right to object at any time to the processing of personal data, without having to justify his or her decision, in particular where the legitimate interest consists in carrying out direct marketing activities;

• to withdraw consent to the processing of personal data. Consent given by data subjects may be withdrawn at any time, which will not affect the lawfulness of the processing carried out before the consent was

The above rights, as well as the intention to withdraw consent, may be exercised by sending an appropriate request by e-mail to the e-mail address indicated in point III of the Policy or by post to the Administrator's registered office address indicated in points I and III of the Policy.
In cases where it is considered that the Administrator's processing of personal data of individuals violates the provisions of the RODO or is incompatible with the Policy, Users have the right to lodge a complaint to the supervisory authority, i.e. the President of the Office for Personal Data Protection with its seat in Warsaw, ul. Stawki 2, who can be contacted as follows:

• by post: Stawki 2, 00-193 Warsaw

• through the electronic mailbox available at https://www.uodo.gov.pl/pl/p/kontakt.

• by telephone: (22) 531 03 00

 

Security of Personal Data
The Controller shall ensure the security of personal data against unauthorised disclosure to unauthorised persons, acquisition of data by unauthorised persons, destruction, loss, damage or alteration, and processing of personal data in a manner incompatible with the provisions of the RODO.
The controller shall take technical and organisational measures to safeguard the personal data entrusted to it which meet the requirements of the RODO, in particular the measures listed in Article 24 and Article 32 of the RODO, ensuring confidentiality, integrity and availability of the processing services for the personal data provided.
 
Automated decision-making and profiling

Your data may be processed by the Controller by automated means, including profiling. However, decisions concerning an individual person related to this processing will not be automated.
 
Cookies

Cookies are small text files that are installed on your device (as a User) when you browse our website (the Website). Cookies collect information to facilitate the use of the website - for example, by remembering a User's visits to the Website and the actions they perform.
The mechanisms for storing, reading and exchanging data between the Cookies stored on the User's Device and the Website are implemented through the built-in mechanisms of web browsers and do not allow other data to be retrieved from the User's Device or from other websites visited by the User, including personal data or confidential information. The transmission of viruses, Trojan horses and other worms to the User Device is also practically impossible.
 
Cookies "essential"

We use so-called "cookies" which are necessary primarily for the provision of electronic services to the User. These cookies enable essential functions such as security, identity verification and network management. Cookies used for this purpose include user input cookies (session ID) for the duration of the session.
 
Analytical cookies

We use so-called analytical cookies in order to improve the quality of services on the Website. We therefore use cookies to store information or access information already stored on your telecommunications end device (computer, phone, tablet, etc.). Cookies used for this purpose include Google Analytics cookies used to analyse the User's use of the Website, to create statistics and reports on the functioning of the Website.

"Marketing" cookies

We also use cookies for marketing purposes, inter alia in connection with targeting Users with behavioural advertising. For this purpose, we store information or access information already stored on the User's telecommunications end device (computer, phone, tablet, etc.).

Functional" cookies

We also use Functional Cookies for the purpose of remembering Users' individual choices and providing them with a better and more personalised experience.

Managing cookie settings

Service cookies, which are necessary for the use of the website, are automatically installed on the User's device. Their use is necessary for the provision of the telecommunications service (data transmission for the display of content) - the User does not have the option to opt out of these cookies if they wish to use the Website.
Analytical cookies are not automatically installed by us. You may grant us permission to install analytical cookies by giving your consent when you open the Website.
The User can agree to the installation of only selected analytical cookies. To do this, simply click on the "Settings" button on the banner that appears when entering the website and select the cookies that the User wishes to consent to the installation of.
It is also possible to withdraw your consent to the use of cookies via your browser settings. Detailed information on this can be found under the following links:

• Internet Explorer: https://support.microsoft.com/pl-pl/help/17442/windows-internet-explorerdelete-manage-cookies

• Mozilla Firefox: http://support.mozilla.org/pl/kb/ciasteczka

• Google Chrome: http://support.google.com/chrome/bin/answer.py?hl=pl&answer=95647

• Opera: http://help.opera.com/Windows/12.10/pl/cookies.html

• Safari: https://support.apple.com/kb/PH5042?locale=en-GB

In the absence of consent or in the case of withdrawal of consent for a given type and provider of cookies (in the case of non-acceptance of the installation of cookies according to the settings of the browser), the Administrator does not install these types of cookies on the User's terminal equipment.

Cookies of external services

The Administrator on the Website uses javascript and web components of partners who may place their own cookies on the User's device. Please note that you can decide for yourself in your browser settings what cookies are allowed to be used by which websites. Below is a list of the partners or their services implemented on the Website that may place cookies.

• Multimedia services:

  • YouTube

• Community services:

  • LinkedIn

• Keeping statistics:

  • Google Analytics

 

Final provisions
To the extent not covered by this Policy, EU and national data protection legislation applies.