GDPR Information Obligation

The following information is a concise, understandable and transparent summary of the information provided in the Privacy Policy regarding the Data Administrator, the purpose and manner of personal data processing and your rights in relation to this processing, in the form required to fulfill the GDPR information obligation. Details regarding the processing method and entities involved in this process are available in the indicated policy.

Who is the data administrator?

The Personal Data Administrator (hereinafter Administrator) is the company “Naster S.A.”, operating at: ul. Montażowa 3, 43-300 Bielsko Biała, with assigned tax identification number (NIP): 9372673065, providing electronic services via the Service.

How can you contact the data administrator?

You can contact the Administrator in one of the following ways:

• Postal address – Naster S.A., ul. Montażowa 3, 43-300 Bielsko Biała
• E-mail address – biuro@naster.pl
• Phone call – +48 32 610 04 99
• Contact form – available at: https://www.naster.pl/kontakt

Has the Administrator appointed a Data Protection Officer?

Pursuant to Art. 37 of the GDPR, the Administrator has not appointed a Data Protection Officer.

In matters concerning data processing, including personal data, please contact the Administrator directly.

Where do we obtain personal data from and what are their sources?

Data is obtained from the following sources:

• from the data subjects
• in the case of registration using social media platforms, with the expressed conscious consent of these persons, from those social media platforms

What is the scope of personal data processed by us?

The service processes ordinary personal data, provided voluntarily by the data subjects.
(e.g. name and surname, login, e-mail address, phone, IP address, etc.)

The detailed scope of processed data is available in the Privacy Policy.

What are the purposes of our data processing?

Personal data voluntarily provided by Users is processed for one of the following purposes:

• Implementation of electronic services:
  • User account registration and maintenance services in the Service and related functionalities
  • Newsletter services (including sending advertising content with consent)
  • Commenting / liking posts in the Service without the need to register
• Communication of the Administrator with Users on matters related to the Service and data protection
• Ensuring the legally justified interest of the Administrator

What are the legal bases for data processing?

The Service collects and processes User data on the basis of:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
  • art. 6(1)(a)
    the data subject has given consent to the processing of his or her personal data for one or more specific purposes
  • art. 6(1)(b)
    processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
  • art. 6(1)(f)
    processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party
• Act of 10 May 2018 on the protection of personal data (Journal of Laws 2018, item 1000)
• Act of 16 July 2004 Telecommunications Law (Journal of Laws 2004 No. 171, item 1800)
• Act of 4 February 1994 on Copyright and Related Rights (Journal of Laws 1994 No. 24, item 83)

What is the legally justified interest pursued by the Administrator?

• For the purpose of possible establishment, investigation or defense against claims – the legal basis for processing is our legitimate interest (Art. 6(1)(f) GDPR) consisting in the protection of our rights, including among others;
• For the purpose of assessing the risk of potential clients
• For the purpose of evaluating planned marketing campaigns
• For the purpose of conducting direct marketing

For how long do we process personal data?

As a rule, the indicated personal data is stored only for the period of providing the service within the operated service by the Administrator. They are deleted or anonymized within a period of up to 30 days from the termination of the service (e.g. deletion of a registered user account, unsubscribing from the newsletter list, etc.)

In exceptional situations, in order to secure the legally justified interest pursued by the Administrator, this period may be extended. In such a situation, the Administrator will store the indicated data, from the time of requesting their deletion by the User, for no longer than 3 years in the event of a violation or suspected violation of the service regulations by the data subject.

Who is the recipient of data including personal data?

As a rule, the only recipient of data is the Administrator.

However, data processing may be entrusted to other entities providing services on behalf of the Administrator in order to maintain the operation of the Service.

Such entities include, among others:

• Hosting companies, providing hosting or related services for the Administrator
• Companies through which the Newsletter service is provided
• IT maintenance and support companies performing maintenance or responsible for maintaining the IT infrastructure

Will your personal data be transferred outside the European Union?

Personal data will not be transferred outside the European Union, unless they have been published as a result of an individual action of the User (e.g. entering a comment or entry), which will make the data available to every person visiting the service.

Will personal data be used for automated decision-making?

Personal data will not be used for automated decision-making (profiling).

What rights do you have regarding the processing of personal data?

• Right of access to personal data
  Users have the right to obtain access to their personal data, exercised upon request submitted to the Administrator
• Right to rectification of personal data
  Users have the right to request the Administrator to immediately rectify personal data that is incorrect and / or to complete incomplete personal data, exercised upon request submitted to the Administrator
• Right to erasure of personal data
  Users have the right to request the Administrator to immediately delete personal data, exercised upon request submitted to the Administrator.

  In the case of user accounts, data deletion involves anonymizing data enabling the identification of the User.

  In the case of the Newsletter service, the User can delete their personal data themselves using the link placed in each e-mail message sent.

• Right to restriction of processing of personal data
  Users have the right to restrict the processing of personal data in the cases indicated in Art. 18 of the GDPR, e.g. questioning the accuracy of personal data, exercised upon request submitted to the Administrator
• Right to data portability
  Users have the right to obtain from the Administrator, personal data concerning the User in a structured, commonly used machine-readable format, exercised upon request submitted to the Administrator
• Right to object to the processing of personal data
  Users have the right to object to the processing of their personal data in the cases specified in Art. 21 of the GDPR, exercised upon request submitted to the Administrator
• Right to lodge a complaint
  Users have the right to lodge a complaint with the supervisory authority dealing with the protection of personal data.