The Administrator’s Privacy Policy is a document specifying the way in which personal data and other information concerning the users of the website www.mdt.pl/en (hereinafter called the “Website”) is processed. The Privacy Policy lays down the rules of keeping and accessing information on User’s devices by means of the Cookies, used for the purposes of performing services by electronic means by the Administrator as well as the rules of using Web Push notifications. When using the website, you confirm your acceptance of these conditions regardless of your decision on registering in the e-shop.
Users may change the settings concerning the Cookies in their browsers: they may, for example, restrict or disable the Cookies. If you do not change the settings in this regard, the Cookies shall be saved in the memory of the Devices. The change of cookie settings may restrict the functionality of the website (for example, it may be impossible to follow the path of placing an order due to failure to save the products in the basket while making further steps of the order).
§ 1
Definitions
Administrator – MDT Sp. z o. o. [limited liability company] KRS: 0000478430, headquarters: ul. Skośna 12A, 30-383 Kraków. You can contact the Personal Data Administrator via the email address: office@mdt.pl or by sending a letter to the above address. The Administrator provides services by electronic means and stores and accesses information on User’s devices and processes personal data of the User obtained, for instance, via the website and sends Web Push notifications via the website.
- Cookies – IT data, such as short text files saved and stored on devices, by means of which the User makes use of the Administrator’s website.
- Administrator’s Cookies – the Cookies placed by the Administrator, connected with the provision of services by electronic means by the Administrator via the website.
- Third-Party Cookies – Cookies uploaded by Administrator’s partners via the website.
- Personal data – information on a natural person already identified or who may be identified.
- Web Push notifications – notifications including but not limited to marketing information, including information on current promotions, sent to the User’s browser. Web Push notifications are sent to the User’s browser only after obtaining User’s consent for such communications.
- Data processing – operation or set of operations performed on personal data or sets of personal data in an automatic or in a non-automatic way, such as: gathering, preserving, organising, collating, storing, adapting or modifying, downloading, viewing, using, disclosing by sending, making public or other disclosing of, connecting or matching, restricting, deleting or destroying the data.
- Website – a web page or application under which the Administrator runs the internet portal operating in the domain mdt.pl.
- Device – electronic device through which the User obtains access to the website.
- User – an entity in favour of which services may be provided by electronic means in accordance with the Terms of Service and the provisions of law and with whom the agreement for the provision of services by electronic means may be concluded.
§ 2
Types of Cookies used
The Cookies used by the Administrator are safe for the User’s device. In particular, it is not possible for viruses or other unwanted or malicious software to permeate to Users’ Devices in this way. The cookie files allow for identification of software used by the User and for adjusting the website to each individual User. The Cookies usually contain the name of the domain from which they come, time of their storage on the Device and the assigned value. The Administrator uses two types of Cookies:
a) session cookies: they are stored on the User’s Device and remain there until the closing of the session of a given browser. The information saved is then deleted permanently from the memory of the Device. The mechanism of session cookies does not allow for collecting any personal data or confidential information from the user’s Device;
b) persistent cookies: they are stored on the User’s Device and remain there until they are deleted. The end of a browser session or turning off the Device do not result in their deletion from the User’s Device. The mechanism of session Cookies does not allow for collecting any personal data or confidential information from the user’s Device.
The User may restrict or disallow Cookies on his/her Device. When choosing this option, the use of the website will be possible, except for functions which by their nature require the use of the Cookies.
§ 3
Purposes of using the Cookies
The Administrator uses cookie files first and foremost in order to deliver services by electronic means to the User and to improve their quality. Therefore, the Administrator and other entities providing analytic and statistical services in his favour use the Cookies by storing or accessing information kept in the end-user telecommunication device (computer, phone, tablet etc.). The cookie files used for this purpose include: cookies containing data entered by the User for the duration of a session, authentication cookies used for services requiring authentication for the duration of the session, cookie files used to ensure security, for example those used for detecting authentication fraud, session cookies of multimedia players used for the duration of a session, persistent cookies used for the personalisation of the User’s interface for the duration of the session or for a longer time, cookies used for memorising the contents of the basket for the duration of the session, cookie files used for tracking user activity on the website, i.e. data analytics including Google Analytics cookies (files used by the Google company for the purposes of analysing the way of using the Service by the User as well as creating statistics and reports on the functioning of the website) – the Cookies administrator: Google Inc. with its headquarters in the United States. Google does not use the data obtained for the identification of the User and does not connect this information in order to allow for such an identification. Detailed information on the scope and rules of data collection in connection with this service are available at: https://policies.google.com/privacy.
The Administrator also uses cookie files for marketing purposes. For this purpose, the Administrator stores information or obtains access to information stored on the end-user telecommunication device. The use of cookie files and personal data gathered with the use of the cookies for marketing purposes, in particular in the scope of promoting services and goods of third parties, requires the User’s consent. This consent may be given by means of an appropriate configuration of the browser and may be withdrawn at any time, in particular by deleting the cookie history and disallowing cookies in the browser settings.
§ 4
The possibility of determining conditions of the storage of and obtaining access by the Cookies
The User may independently and at any time change the settings related to the Cookies by setting the conditions of their storage and obtaining access to the User’s Device by the Cookies. The change of settings referred to in the previous sentence can be made by the User in the browser settings or by means of service configuration. These settings may be changed, in particular, in such a way so as to block the automatic use of Cookies in the browser settings or to be informed on the placing of Cookies on the User’s device each time. Detailed information on the possibility and ways of managing cookie files are available in software (browser) settings. The User may at any time delete the Cookies by using functions available in his/her browser. The restriction of Cookies may influence the use of some of the features available on the Website.
§ 5
Web Push notifications
Web Push notifications are sent to the User’s browser only after obtaining User’s consent for such communications. In order to give consent to be sent Web Push notifications, the User should choose the option “Show/display notifications” or a similar option (each browser may use a different name for this option) available on the notification sent by his/her browser. The consent for obtaining Web Push notifications may be withdrawn at any time by changing settings in the User’s browser. The Administrator does not process any personal data of the Users using the Web Push notifications. Users are identified solely upon information stored by their browsers to which the Administrator has no access.
§ 6
Information on personal data processing
Pursuant to art.13 of the Regulation no. 2016/679 of the European Parliament and of the Council (EU) of 27.04.2016 on personal data protection in connection with personal data processing and free movement of such data and the repeal of the Directive 95/46/EC (General Data Protection Regulation) – Journal Of the EU no. L.2016.119.1 of 04.05.2016, hereinafter The Regulation or GDPR) we inform that:
The Personal Data Administrator is MDT Sp. z o. o. KRS: 0000478430 (headquarters: ul. Skośna 12A, 30-383 Kraków, web: www.mdt.pl/en). You can contact the Personal Data Administrator via the email address: office@mdt.pl or by sending a letter to the address indicated in the first sentence;
The Data Protection Inspector is Tomasz Kalita, PhD. Persons whose data is concerned may contact the Inspector in relation to personal data processing and exercising the rights in connection with personal data processing via the email address iod@mdt.pl or by sending a letter to the address of the Data Administrator indicated above.
§ 7
Purposes and periods of personal data processing
MDT Sp. z o. o. processes personal data for the following purposes:
- to ensure proper performance of services by processing information concerning the User’s device: IP address of the computer, information included in cookie files and other similar technologies, data of the internet browser, data concerning the session, device and user activity on the web page including subpages. This information does not include any data related to the identity of the Users; however, they may constitute personal data in combination with other information. The data is processed in accordance with art. 6 sec. 1 letter b of the GDPR for the purposes of performance of website services, i.e. the agreement for the performance of services by electronic means in accordance with the terms of service available at the Administrator’s website and in accordance with art. 6 sec. 1 letter a of the GDPR in connection with the consent to use specific types of cookies or similar technologies, given by means of appropriate browser settings in accordance with the Telecommunication Law or in connection with giving consent for geolocation. The data is processed as long as the User makes use of the website;
- to perform the agreement concluded with the Customer, including the creation and management of the account in the e-shop (art. 6 sec. 1 letter b of the GDPR) during the period of realising the ordered services (if the account in the e-shop is deleted, the data shall be processed for a period of three years from its deletion);
- to process the order placed by the Customer without registering in the e-shop (art. 6 sec. 1 letter b of the GDPR);
- to realise the ordered newsletter service provided by electronic means. The Administrator processes data, i.e. the email address provided, the date of joining the subscription and the information on the sending of newsletters – art. 6 sec. 1 letter a of the GDPR;
- to identify the sender and to manage his/her enquiry made via the electronic form (art. 6 sec. 1 letter b of the GDPR);
- to investigate complaints made by Users, to process data provided, in particular the email address, name and surname and contents of the complaint, including the justification of its cause. This data is processed in accordance with art. 6 sec. 1 letter b of the GDPR for the purposes of performing services, i.e. the agreement for the provision of services by electronic means and is processed for a period necessary to investigate the complaint and not longer than 3 months after the end of the investigation procedure;
- to improve the service quality – the Administrator processes statistical information related to the use of the website, including the information on the session, IP number, the amount of time spent on the web page or its subpages, the use of various functionalities of services, information on the device and browser (art. 6 sec. 1 letter f of the GDPR);
- to upload marketing information about products and services on the website in accordance with the legally protected interest of the administrator (art. 6 sec. 1 letter f of GDPR);
- for the purposes of possible investigation of claims or defending himself against claims on the basis of legally justified interest of the Administrator and in accordance with the provisions of national law, in particular the Civil Code (art. 6 sec. 1 letters f and c of the GDPR). The limitation periods are: 6 years for claims concerning property rights (art. 118 of the Civil Code), 3 years for claims related to periodic benefits and for claims connected with conducting business activity (art. 118 of the Civil Code), 3 years for claims related to damage made to a person by illegal action beginning from the date of notifying the damage and obtaining knowledge of the person obliged to satisfy it (art. 4421 of the Civil Code – whereas in the case of pending investigations the period may be extended until the final decision on the end of investigation and the lapse of new limitation periods;
- for the purposes of personal data of Users viewing the Administrator’s profiles in social media. This data is processed exclusively in connection with running the profile and therefore in order to inform Users on the Administrator’s activity and promotion of various events, services and products as well as for the purposes of communication with users by means of features available in social media.
§ 8
Disclosure of data to other entities
The collected personal data may be disclosed to entities and public bodies authorised to process personal data under provisions of the applicable law and to entities which process personal data at the request of the Administrator in connection with the realisation of the delegated task (e.g. hosting and website management, IT services, legal and advisory services).
§ 9
Rights of persons whose data is concerned
A person whose data is concerned has the right, depending on the legal base of data processing, to use the entitlements under the provisions of law, including (but not limited to) the right to:
- access his/her personal data, i.e. to obtain confirmation from the Data Administrator whether his/her personal data is being processed. If the data is processed, he is entitled to access them and to obtain the following information: purposes of processing, categories of personal data, receivers or categories of receivers to which the data was or will be disclosed, the period of data storage or criteria for its setting, the right to request the rectification, deletion or restriction of the processing of personal data available to the User and to raise objections against such processing (art. 15 of the GDPR);
- obtain copies of data being subject to the processing, whereas the first copy is free of charge and for further copies the administrator may charge a reasonable fee as arising from administrative costs (art. 15 sec. 3 of the GDPR);
- rectify incorrect personal data or complete the uncompleted data (art. 16 of the GDPR);
- delete the data if the data Administrator has no legal base for its processing or the data is no longer necessary for the purposes of its processing (art. 17 of the GDPR);
- restrict the processing of data if: the person whose data is concerned questions the correctness of personal data – for a period which allows the Administrator to check the correctness of the data; the processing is against the law and the person whose data is concerned opposes to its deletion by requesting the restriction of their use; the administrator no longer needs the data, but they are necessary for the person whose data is concerned for the purposes of establishing, investigating or defending the claims; the person whose data is concerned raised objections to the processing until the a decision is made on whether the legally justified reasons on the part of the Administrator prevail over the reasons for the objection of the person concerned;
- move the data, i.e. to obtain personal data concerned in a structured and commonly used format readable by a machine, which s/he submitted to the Administrator and to request the sending of this data to other administrator if the data is processed upon consent of the person whose data is concerned or the agreement concluded with him/her and if the data is processed in an automatic way (art. 20 of the GDPR);
- raise objections to the processing of his/her personal data for legally justified purposes of the Administrator for reasons connected with his specific situation, including data profiling. In such a case, the Data Administrator assesses the legally justified reasons for data processing, prevailing over the interests, rights and freedoms of persons concerned or bases for the formulation, investigation and defence of the claims. If, according to the assessment, the interests of the person whose data is concerned prevail over the interests of the Administrator, the Administrator shall be obliged to stop the processing of data for these purposes (art. 21 of the GDPR);
- submit a complaint to the President of the Personal Data Protection Office if the personal data processing is considered a breach of the Regulation.
§ 10
Changes to the privacy policy
Any changes concerning the privacy policy and the Cookies shall be made available on the website: www.mdt.pl/gdpr.
Kraków, 14.02.2021