I. The Preamble.
- what personal data are and what is the processing of personal data;
- who controls personal data of the Users;
- what are the principles for our processing of personal data of the Users;
- for what purposes and based on which legal grounds we use personal data of the Users;
- who do we share Users’ personal data with;
- how do we secure personal data of the Users;
- how long do we process personal data of the Users;
- what rights are granted to the Users in relation to processing of their personal data;
- what are cookies and other technologies related to the functioning of Merixstudio websites.
Detailed information about the processing of Users’ personal data will be provided by us in information clauses that the Users will receive when we collect their personal data - when they use our services, subscribe to our newsletter, use our contact forms, participate in our competitions, promotional campaigns and events within which we collect their personal data.
II. Personal data and processing of personal data.
Personal data are any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing of personal data means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
III. Controlling of personal data.
The controller of Users’ personal data is Mr. Adam Śledzikowski, conducting business as “Adam Śledzikowski MERIXSTUDIO” with his registered office at Małachowskiego 10 in Poznań, holder of VAT-EU number: PL7772427860 (referred to in this document as “Controller” or “Merixstudio”).
Pursuant to the relevant agreement concluded with Merixstudio, GoDealla sp. z o. o. (limited liability company with headquarters in Poznań at Małachowskiego 10, 61-129 Poznań, entered into the Register of Entrepreneurs kept by the District Court Poznań - Nowe Miasto i Wilda w Poznaniu, 8th Commercial Department of the National Court Register under KRS (NCR) number: 0000406039, VAT-EU number: PL7831685435) is the joint controller of Users’ personal data. The basic content of arrangements between joint controllers is available for the Users under following link:www.merixstudio.pl/jointcontrollers.
IV. Principles for processing of personal data.
As part of the processing of Users' personal data, we take due care to ensure that these data are processed in a legal, reliable, transparent and secure manner for every User.
Below are the most significant principles we follow while processing User’s personal data:
- We obtain personal data for clearly defined purposes and we do not process data in a manner inconsistent with these purposes.
- We collect personal data only to a minimum extent, necessary to achieve the purposes for which they are collected.
- We process personal data only based on the valid legal ground.
- We care about the validity and correctness of Users' personal data and we respond promptly to any applications submitted to us by the Users regarding rectification or update of Users’ personal data.
- We limit the storage of personal data only to the period necessary to achieve the purposes for which they are collected, unless there are events that may extend the period of data storage (such as a change in the law ordering extension of the data storage period or legal dispute with the User whose data we process).
- We execute the Users' rights to: access their personal data, correct them, delete personal data, withdraw consent for processing of personal data, restrict processing, transfer data, object to data processing and not to make any decisions regarding User based solely on automated data processing, including profiling.
- We protect Users' personal data against unauthorized access, as well as against accidental or unlawful loss, damage or alteration of personal data.
- If personal data is shared with other processors, it is done in a secure manner, secured by an appropriate agreement on entrusting of personal data, in accordance with applicable law.
V. Purposes and legal grounds for processing of personal data.
We process Users' personal data for specific purposes and based on a specific legal basis, informing the Users about it. Due to the fact that the purposes and grounds for the processing of Users' personal data may vary depending on the relationship between us and the Users, we indicate these purposes and grounds by exercising the information obligation referred to in Article 13 or 14 of GDPR. Most often, however, the processing of personal data will take place for the following purposes:
- in relation to our potential customers - to conclude a contract; in this case, the legal basis for the processing of personal data will be taking action at the request of the data subject before the conclusion of the contract [art. 6 clause 1 letter b) of GDPR];
- in relation to our clients - in order to implement the concluded contract, in this case the legal basis for the processing of personal data will be the performance of the contract [art. 6 clause 1 letter b) of GDPR];
- in relations to employees, co-workers or representatives of our clients and potential clients - in order to conclude or perform the contract; in this case, the legal basis for the processing will be the legitimate interest pursued by the Controller [art. 6 clause 1 letter f) of GDPR];
- in relation to the recipients of our marketing campaigns - in order to implement marketing activities; in this case, the legal basis for the processing will be the legitimate interest pursued by the Controller [art. 6 clause 1 letter f) of GDPR];
- in relation to newsletter subscribers - in order to send the newsletter to the subscriber; in this case, the legal basis for processing will be the User's consent [art. 6 clause 1 letter a) of GDPR];
- in relations to persons using our contact form - to handle queries and requests addressed to us; in this case, the legal basis for processing will be the User's consent [art. 6 clause 1 letter a) of GDPR];
- in relations to candidates for work in our company - for the recruitment of employees; in this case, the legal basis for the processing of personal data will be taking action at the request of the data subject before the conclusion of the contract [art. 6 clause 1 letter b) of GDPR], and in exceptional cases, the consent of the candidate [art. 6 clause 1 letter a) of GDPR];
- in relations to participants and speakers of workshops, trainings, conferences and industry events organized or co-organized by us - in order to provide the User with the opportunity to participate in an event organized or co-organized by us; in this case, the legal basis for the processing of personal data will be taking action at the request of the data subject before the conclusion of the contract and the performance of the contract [art. 6 clause 1 letter b) of GDPR];
- in relation to participants of competitions organized by us - in order to promote our services; in this case, the legal basis for the processing of personal data will be taking action at the request of the data subject before the conclusion of the contract and the performance of the contract [art. 6 clause 1 letter b) of GDPR];
- in relation to potentially each of the above categories of Users, we may also process personal data for the purpose of pursuing claims and defending against claims; in this case, the legal basis for the processing will be the legitimate interest pursued by the Controller [art. 6 clause 1 letter f) of GDPR].
As a principle, providing personal data by the Users is voluntary, but necessary to achieve the purpose of processing (e.g., conclusion and performance of the contract, receiving the newsletter, receipt and processing of an inquiry, etc.), and the lack of disclosure of this data or request to cease their processing will prevent us from realizing this goal.
The personal data that we process may include identification data, e.g. name, contact details (such as phone number, email address), location data, data regarding orders and complaints filed by the User. Each time we define and process only the necessary data.
Users using Merixstudio websites remain anonymous until they decide to disclose their data, e.g. by sending a request via the contact form or subscribing to the newsletter.
VI. Withdrawal of consent.
If Users’ personal data are processed based on their consent, they have the right to withdraw such consent at any time by sending an e-mail to our following e-mail address email@example.com or in writing to Merixstudio (contact data indicated in Chapter III). In the case of subscribers to the newsletter, withdrawal of consent may take place by canceling the subscription in a manner analogous to the process of subscription to the newsletter.
Withdrawal of consent does not entail any negative consequences or unpleasantness. The Users should be aware, however, that withdrawal of consent may entail the inability to use such services as, for example: receiving a newsletter, receiving invitations to events or services provided by us commercially.
The withdrawal of consent does not affect the lawfulness of the User's data processing, which was made on the basis of this consent prior to its withdrawal.
After receiving a statement of withdrawal of consent to the processing of User’s personal data, we will cease to process the User’s data, however, that further processing of User’s personal data will be still possible for other purposes (e.g. contract performance, evidence demonstration, claim enforcement) - based on another valid legal basis, indicated in particular in Articles 6 and 9 of GDPR.
VII. Sharing of personal data with other recipients.
Users' personal data may be shared by us with the following service providers:
- hosting service providers (including cloud-computing services);
- e-mail service providers;
- courier and post service providers;
- newsletter service providers;
- accountancy service providers;
- legal service providers.
Personal data will be transferred outside the European Economic Area only when it is necessary and only on the legal basis determined by the provisions of the GDPR. In view of the above, personal data may be transferred to third countries (e.g. to the USA) in connection with:
- conducting electronic correspondence with Users - the recipient of the data is Google LLC;
- sending the newsletter - the recipient is The Rocket Science Group LLC (owner of the MailChimp mailing system);
- analysis of website statistics - the recipient of data is Google Analytics, Google AdWords and Google AdSense;
- adaptation of links on websites and collecting information such as quantity, location and source of entries - the recipient of the data is Bitly, Inc.
The above-mentioned recipients of personal data in USA have joined the Privacy Shield program established by Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of protection provided by the EU-US Privacy Shield and ensure an adequate level of protection of personal data.
The Users are entitled to obtain copies of the security measures used by us while transferring User’s personal data to third countries - by making a request to us using our following e-mail address: firstname.lastname@example.org. The list of entities participating in the "Privacy Shield" program can be found under following link: https://www.privacyshield.gov/participant_search, while the main assumptions of this program can be found here: https://www.privacyshield.gov/Program-Overview.
VIII. Security of personal data.
We apply technical and organizational measures to protect personal data against illegal or unauthorized access or use, as well as against accidental destruction, loss or violation of integrity.
As part of ensuring the security of the personal data being processed, we include:
- confidentiality of personal data - we ensure that your personal information is not accidentally disclosed to unauthorized persons;
- integrity of personal data - we protect data against unauthorized modification;
- accessibility of personal data - we provide authorized persons with access to personal data if necessary.
Every employee or associate of Merixstudio who has access to personal data is properly authorized and obliged to keep confidentiality of processed personal data.
IX. Data storage.
We store personal data for the period necessary to achieve the goals which were communicated to the User.
The period of storage of personal data is determined in strict compliance with applicable law. In order to determine the period of personal data processing, we keep a register of personal data processing activities pursuant to art. 30 clause 1 of GDPR.
The User is entitled at any time to obtain information on the storage time of his personal data.
X. Users' rights related to the processing of personal data.
We implement Users' rights related to the processing of their personal data, which are defined in Articles 15-22 of GDPR.
The Users have the following rights:
- The right to withdraw their consent on processing of personal data at any time;
- The right to access their personal data and receive their copies;
- The right to rectify outdated or incorrect personal data;
- The right to supplement incomplete personal data;
- The right to erase their personal data;
- The right to restrict processing of their personal data;
- The right to information about recipients of personal data subject to correction, deletion or restriction of processing of data revealed to such recipients;
- The right to transfer of personal data;
- The right to object to processing of their personal data;
- The right not to be subject to decisions based solely on the automated processing of personal data, including profiling;
- The right to lodge a complaint regarding processing of their personal data with a competent supervisory authority.
Any correspondence regarding matters related to the processing of Users’ personal data should be sent to Merixstudio address indicated in Chapter 3 above with the postscript "Personal data" or to our e-mail address: email@example.com.
Users' applications will be examined without undue delay, however not later than within one month after their receipt. This deadline may be extended due to the complexity of the request or the number of requests, for a maximum of two more months, about which the User will be informed within one month of submitting the application.
Personal data is not profiled by us, nor is it subject to any other form of automated processing that results in making decisions that have legal or any other material effect on the User.
XI. Cookies, server logs and other technologies.
We use cookie files (cookies), which are small text files, stored on the User's end device (e.g. computer, tablet, smartphone). Cookies can be read by our data communication systems.
We store cookies on the end device of the User, and then we gain access to information contained therein for statistical purposes, marketing purposes (remarketing) and to ensure the correct operation of Merixstudio websites, as well as their improvement and development.
The User has the option of configuring the web browser so it prevents the storage of cookies on the end device used by the User. In such a situation, the User's use of Merixstudio websites may be impeded. Information on disabling cookie files can be easily found by typing the following search term: "[browser name] blocking cookies" in the search box in the web browser.
Cookie files may be deleted by the User after they have been saved by us, through appropriate functions of the web browser, programs used for this purpose or using appropriate tools available as part of the operating system used by the User.
- Using Merixstudio websites involves sending queries to the server on which Merixstudio websites are stored.
- Each query addressed to the server is saved in the server logs. Logs include User's IP address, date and time of sending the query to the server, information about the web browser and operating system used by the User.
- Logs are saved and stored on the server.
- The data stored in the server logs are not associated with specific Users and are not used by us to identify the User.
- The server logs are only auxiliary material used to administer Merixstudio websites, and their content is not disclosed to anyone except those authorized to administer the server.
We use the following technologies to track User's activities within Merixstudio websites:
- Google Analytics tracking code - to analyze website statistics;
- heat maps that represent the User's navigation on Merixstudio websites, and so the statistics of use of Merixstudio websites;
- collecting information such as the number of clicks on the link, location and source of the click (e.g. Facebook, e-mail, etc.) through the application provided by bitly.com;
- Facebook conversion pixel - to manage Facebook ads and run remarketing activities.
Automatic processing of personal data.
The information we collect in connection with the use of our services (including Merixstudio websites) may be processed in an automated manner (including in the form of profiling), however, it will not cause any legal effects to Users or substantially affect their situation in any other way.