1. The administrator of the data is Chagowska Productions spółka z ograniczoną odpowiedzialnością spółka komandytowa with its registered office in Warsaw, Ludwika Rydygiera 13/294, 01-793 Warsaw, registered in the register of entrepreneurs kept by the District Court for the Capital City of Warsaw in Warsaw, XII Economic Department of the National Court Register under KRS No.: 0000562649, NIP: 5252621566, REGON: 36176909200000, operating the website at: www.zoukfestival.pl (hereinafter: the “Company”).
2. Provision of any personal data is voluntary, however, it is necessary in order to achieve the purpose or take actions related to the provision of such data.
3. The Administrator processes the following Customer data:
– surname and first names,
– e-mail address,
– residential address and postal code,
– activity relative to individual projects,
– activity in relation to the use of particular services,
– necessary health data related to the performance of the service,
– personal data or information that we are obliged to collect under applicable laws, recommendations or guidelines.
In case the service participant is a child, data of both children and their parents are processed. The administrator also processes the e-mail address, telephone number and name of the newsletter recipient. For employees, the set of data processed results from personnel regulations.
4. Based on Article 6 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27.04.2016 on the protection of natural persons in relation to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) – GDPR, the basis for the processing of personal data by the Administrator is the consent of the Users, legal obligation and performance of the contract.
5. Data processing purposes:
– sale of Services and products offered (Article 6(1)(b) of the GDPR),
– Due performance of agreements concluded with Chagowska Productions (Article 6(1)(b) GDPR),
– delivery of information and advertising mailings consented to by the user (Article 6(1)(a) GDPR),
– organizing trips, workshops, conferences, meetings, sports and educational events (Article 6(1)(b) GDPR),
– Organization of sports activities (Article 6(1)(b) GDPR),
– activities related to sports and healthy living,
– ensuring the health safety of customers and employees,
– ongoing informational, educational and advertising communications with audiences,
6. All members of the Company’s team have access to personal data. Access to individual categories of people is separated by limiting technical permission to enter a shared drive or folder. On a similar note, documents are also physically secured in locked cabinets. A list of external entities that have access to personal data can be found here (https://docs.google.com/document/d/1Uh9yYBI2B_9DB_TNCCK8nh8tB5hAQjbNQc0NQ79PzQA)
The privacy policies of each of these entities are located on their pages provided in the link above.
The above entities guarantee compliance with the Ordinance or compliance with standards analogous to the Ordinance in terms of personal data protection, and the Administrator’s use of their technology in processing personal data is lawful. Entities have entered into entrustment agreements, mostly in the form of updates to their regulations.
The Administrator will not sell or transfer customers’ personal data to other entities other than those specified in the link.
The User acknowledges that his/her personal data may be transferred to authorized state authorities in connection with their proceedings, at their request and upon fulfillment of the prerequisites confirming the necessity of obtaining such data from us.
7. The user exercises the following rights:
a. The right to withdraw consent – withdrawal of consent, however, may prevent further use of services that the Administrator can legally provide only with consent. In addition, withdrawal of consent does not render the processing of personal data unlawful until the moment of withdrawal.
b. Right to object to the use of data – if the Administrator processes data based on a legitimate interest, the Reader may object to its use. If the objection proves to be legitimate and the Administrator has no other legal basis for processing the data – it will delete the objected data.
c. The right to erasure of data (“right to be forgotten”) – the Administrator will, upon request, erase data if consent is withdrawn, a reasonable objection is made to use for marketing or statistical purposes, processing is unlawful, or if it is no longer necessary for the purposes for which it was collected or for which it was processed. The Administrator stipulates that it may retain certain personal data to the extent necessary for backup or for the purposes of establishing, asserting or defending claims and relations with state authorities.
d. The right to restrict data processing – if you question the accuracy of the data and the lawfulness or necessity of the processing and object.
e. The right to access the data – the Administrator undertakes to confirm the processing of personal data, if it takes place. In this case, the User has the opportunity to obtain a copy of the data and access it, and obtain the information contained herein and other requested.
f. Right to rectify data – the Administrator, at the request of the User or Client, undertakes to rectify data (for incorrect data) and to complete data (for incomplete data).
g. The right to data portability – at the request of the User or Customer, the Administrator will send, in the form of a file in pdf or other established format, personal data to the requesting party or directly to another Administrator designated by the User or Customer.
h. In addition, the user has the right to file a complaint with the President of the Office for Personal Data Protection.
The Administrator shall ensure the exercise of rights by writing an email to firstname.lastname@example.org
specifying legibly, in the title, which right the User wishes to exercise. The Administrator, upon receipt of the message, will fulfill the request within 30 days.
8. Data storage
a. The period of data storage will not be shorter than the period specified in the applicable laws (special laws), i.e.: the Accounting Act, the Tax Ordinance, the Act on Pensions from the Social Insurance Fund, or the Act on the Social Insurance System.
b. Data of newsletter recipients will be stored until the request for their deletion,
c. Customers’ data will be stored until the expiration of the statute of limitations for claims under them.
The company undertakes to destroy temporarily created documents containing personal data (e.g. List of participants in a particular event or class) and to take care of data circulation and minimization in accordance with the procedures recorded in the Register of Processing Activities.
The Administrator shall apply technical and organizational measures to ensure the protection of the processed personal data appropriate to the risks and categories of protected data, and in particular shall protect the data from being accessed by unauthorized persons, from being taken by an unauthorized person, from being processed in violation of applicable regulations, and from being altered, lost, damaged or destroyed.
The Personal Data Controller hereby informs that he has not appointed a Data Protection Officer (DPO) and performs duties related to the processing of personal data independently.