PRIVACY POLICY

applicable as of [•] 2018

Pickpack S.A., seated in Warsaw, owner of the Internet portal pickpack.cz, providing courier services, protects privacy of persons using its services/Internet portal and their personal data.

For the sake of observing the principle of legal, reliable and transparent processing of personal data during the use of the services of the Internet portal www.pickpack.pl, Pickpack S.A. has adopted this “Privacy Policy” which sets out: the purposes and scope of the processed personal data, the methods of their protection, the legal grounds for their processing and the rights of data subjects.

I. Definitions

Controller

Pickpack Spółka Akcyjna seated in Warsaw, ul. Optymistów 2A, National Court Register (KRS) No.: 695599;

Account

electronic service created and provided by the Controller to Users as a part of the Website, which is an area of a User’s exclusive access in the ICT system provided by the Controller;

Personal data

all information on an identifiable User, i.e. a person that may be indirectly or directly identified, especially by an identifier such as first name and surname, ID number, location data, online ID or one or one or several special factors defining physical, genetic, mental, economic, cultural or social identity of a natural person;

Clients

all entities cooperating with the Controller, its contractors, to whom the Controller provides its services and directly related marketing services;

Service providers

all entities cooperating with the Controller, its contractors, providing the Controller with their services and directly related marketing services;

Profile

set of personal and behavioral information regarding the User, collected by the Controller;

Profiling

each form of automated processing of personal data by the Controller consisting in the use of the data collected by the Controller for the evaluation of certain personal factors concerning a natural person, especially their analysis or projections regarding aspects of data collected within the Profile or inference about personal features and factors relating to Users, other than the ones collected by the Controller;

Regulations

Regulations on service provision through the Website;

GDPR

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Website

Internet portal belonging to and managed by the Controller, as a part of which the Controller provides its services, available at the address: pickpack.cz;

Settings

Account function which allows a User taking advantage of Services to appropriately manage Services, including to independently modify their scope, and to set preferences regarding the scope and purposes of the processing of his personal data;

User

User (logged) or User (non-logged);

User (logged)

natural person holding an Account and using the Services through the Website;

User (non-logged)

natural person not holding an Account but using the Services through the Website, which does not require creation of an Account;

Services

group of services provided by the Controller, in particular electronically through the Website, postal services, good transportation services, as well as direct marketing services.

II. Personal data Controller

The Controller of Users’ personal data shall be the Controller.

In case of any questions on the personal data processing and rights of Users, it is possible to contact the Controller via following channels:

  • contact form, available at the address: www.pickpack.cz;
  • e-mail, with our Data Protection Officer – Adam Zając, at the address: iod@pickpack.pl

Legal ground: disclosure obligation under Art. 13(1) letter a GDPR.

III. Scope and purposes of processing Users’ personal data

Since the Controller provides various services to Users, User personal data are processed for different purposes, in a different scope and under different legal grounds as specified in the GDPR. To ensure transparency of information, we grouped them according to the purpose of data processing.

Purpose 1: Setting up the Account, User access to the Website, use of the Services

Scope of data:

For that purpose, the Controller processes Users’ personal data submitted by the Users in the registration form on the Website, i.e. email address and first name (facultative).

Legal ground:

necessity for the performance of a contract for the provision of Services to a User (Art. 6(1) letter b GDPR).

Purpose 2: Use of generally accessible Services (not requiring Account creation)

Types of Services:

The Controller processes the personal data for the purposes of Service provision, such as: browsing the Website contents, exercise Users’ orders, performance of the Services for the Users: postal or goods transportation services, shipment (parcel) tracking.

Scope of data:

For this purpose, the Controller processes personal data necessary for the execution of an order and performance of the Services for the User – sender’s name and surname, phone no., address and e-mail, as well as recipient’s name and surname, phone no., delivery address and e-mail (if provided).

Legal ground:

necessity for the performance of a contract for the provision of Services by electronic means (art. 6(1) letter b GDPR).

Purpose 3: Use of Services by Users holding an Account

Types of Services:

The Controller processes personal data of Users (logged) in order to provide Services requiring creation and keeping of an Account, such as: Account and Settings management, making changes to data collected in the Profile, viewing the history of orders, contractors defining, adding business contexts and other services specified in detail in the Regulations.

Scope of data:

For this purpose, the Controller processes the following personal data of the Users: name and surname, e-mail address, phone number (if provided) and the data provided in orders, specified in Purpose #3.

Legal ground:

necessity for the performance of a distance contract for the provision of Services, concluded through the Website (art. 6(1) letter b GDPR).

Purpose 4: Statistics of use of specific functions and parts of the Website, product/service popularity and facilitation of the Website’s use

Scope of data:

For these purposes, personal data are processed by the Controller in respect of User activity on the Website, such as: the visited pages and subpages of the Website and the amount of time spent on each of them, as well as data regarding the history of orders, IP address, location, device ID and information on the browser, session and operating system.

Legal ground:

legitimate interest of the Controller (Art. 6(1) letter f GDPR) consisting in improvement of the Website’s functionality and facilitation of access to the Account

Purpose 5: Establishment, assertion and enforcement of claims

Scope of data:

For this purpose, the Controller may process certain personal data submitted by the User and collected in the Profile, such as: first name, surname, delivery address, information on the scope of use of Services and submitted for the purposes of Services performance, as well as other data necessary to prove a claim, including the size of the loss suffered.

Legal ground:

legitimate interests of the Controller (Art. 6(1) letter f GDPR) consisting in collection of payments and establishment, assertion and enforcement of claims as well as defense from claims in legal proceedings before courts or other state authorities.

Purpose 6: Processing requests and complaints, answering questions

Scope of data:

For this purpose, the Controller processes personal data submitted by the User and collected in the Profile, i.e. name and surname, e-mail address, phone number and address and the data on the use of the Services subject to the complaint or request, the data submitted in order to use the Service, in particular defined in purpose #2, as well as included in documents annexed to a request or complaint.

Legal ground:

necessity of the processing for the fulfilment of a legal obligation imposed on the Controller (Art. 6(1) letter c GDPR) and legitimate interest of the Controller (Art. 6(1) letter f GDPR) consisting in improvement of operation of Services and building positive relationships with Users.

Purpose 7: Marketing and remarketing

Types of Services:

The Controller processes Users’ personal data for the purposes of direct or indirect marketing (remarketing) of its own services or products.

Scope of data:

For this purpose, the Controller processes personal data submitted and collected in the Profile, i.e. first name, surname, e-mail address, phone number (where consent has been given to the use of telecommunication terminal equipment for direct marketing purposes by means of electronic communication), workplace and data on a User’s activity on the Website, registered and stored by means of cookies, in particular the history of accessed subpages of the Website, orders history. clicks on the Website, login and registration dates, information on accessing and use of specific services on the Website, activity relating to communication with the Controller.

Remarketing:

To reach Users by means of marketing communications outside the Websites, the Controller takes advantage of services provided by external suppliers. Such services consist in displaying the Controller’s marketing communications, including commercial information, on pages other than the Website. For that purpose, external suppliers (such as Google, Facebook) install, e.g., an appropriate code, text file or pixel to collect information on User activity on the Website. These information relate to the User’s activity on the Website, in particular to the fact of visiting the Website and the history of accessing subpages within the Website.

Legal ground:

legitimate interest of the Controller (Art. 6(1) letter f GDPR) consisting in direct marketing of the Controller’s services or products.

IV. Cookies

In order to facilitate the Website’s use, the Controller may, through the Website, install on User’s terminal text files, referred to as cookies, destined for the storage of information for User identification or remembering the history of activities of a User on the Website.

Provision by a User of the data covered by cookies is voluntary, and such intention on a User’s part is expressed by appropriate settings of the User’s Internet’s browser by which the Website is accessed.

The purposes for which the Controller uses Cookies do not, however, require identification of the data subject by the Controller. In the light of the above, the Controller shall not be obliged to save, obtain or process any additional information to identify the data subject only for the purpose of complying with the GDPR.

In connection with the above, the Controller notifies the foregoing to Users in this Privacy Policy. In such situations, the rights specified in section X shall not apply, unless the User being the data subject, with a view to exercising his rights under the GDPR, provides additional information enabling his identification.

Legal basis: Art. 11 GDPR.

Types of cookies

According to their lifecycle, cookies are divided into:

  1. session cookies – erased upon closing the Internet browser,
  2. persistent cookies – erased after a period of time determined in advance, regardless of closing the Internet browser.

According to the Internet domain of their origin, cookies are divided into:

  1. own cookies – set by the Internet servers of our Websites,
  2. third party cookies – set by Internet servers of sites other than out Websites.

Purposes for which cookies are used

Optimization of the Websites’ use (necessary and analytical cookies)
The Controller uses its own cookies to ensure Users’ convenience in the Website’s use, including to enable remembrance of a User’s logins from a specific device and the unnecessity to renew the login procedure on the Website and to reduce the number of displays of messages (on updates of the Privacy Policy and use of cookies). In addition, the Controller uses cookies to verify security of the IT system and to remember User preferences.

Statistics of site and subpage views of the Websites (analytical cookies)
The controller uses third party cookies (e.g. Google Analytics, Google Analytics 360) to calculate the number of views on the Website, their duration, and to determine what functions or parts of the Website were most frequently used or visited. The information so collected allow the Controller to analyze efficiency of the Website and determine the directions for development of new functions and services.

Tracing activities on the Websites (analytical cookies)
The Controller uses its own cookies to identify a User for the purposes of User activity analysis on the Websites, to determine what the User’s activities at the Website addresses were, in particular what subpages were viewed by a User and where he spent most of his time. The information so collected allow the Controller to evaluate whether the information addressed to Users through the Website is clear and whether the Website does not require any changes in the arrangement of contents.

Cancellation of cookies

A User may fix the conditions of storage or accessing cookies by the Internet browser settings or service configuration. In the menu bar of an Internet browser, in the “Help” section, information can be found on how to reject saving of new cookies, how to remove the cookies saved thus far, how to request notification of a new cookie being saved, and how to block the operation of cookies.

For further information on the possibilities to reject the use of cookies and erase all cookies created by the Controller, the Controller invites Users to consult the Controller in one of the ways set out in this privacy policy.

V. The obligatory character of personal data submission and consequences of omission to do so

Submission of certain personal data makes a precondition for the use of Services or conclusion of a distance contract with the Controller (data specified in Purposes #2 or #3). The obligatory data are marked within the Website with [*]. A consequence of an omission to submit such data is the User’s impossibility to use Services. Apart from data marked as obligatory, provision of other personal data is voluntary.

In respect of personal data collected automatically, their submission is also voluntary, and the expression of such intention on the part of a User is appropriate setup of the Internet browser by which the Website is accessed.

VI. Automated decision-making and Profiling

The Controller shall make all reasonable efforts to adjust the offer of its own services and all marketing communications addressed to Users to their interests and preferences. For that purpose, it undertakes automated processing of personal data, which does not take the form of Profiling.

At the same time, the Controller points out that targeting and personalization of the Controller’s marketing communications, especially offers and trade information, based on the collected behavioral data (relating to the Users’ behavior and his activity on the Website, in particular the history of subpages viewed), as long as it is not a consequence of inference about other features and personal factors of a User based on the data collected by the Controller, does not amount to Profiling.

The above activities and decision-making constitute automated processing of personal data – and take place when a specific action or omission by a User on the Website triggers a specific commercial communication – identical for all Users who have acted in a similar way. Such communication is not addressed to a User on the basis of any assumptions made by the Controller by automated means, but in connection with specific User-submitted information.

Automated processing of personal data and decision-making, does not pose any substantial threat to Users’ rights and freedoms, does not produce any substantial legal consequences to users and is not an excessive nuisance, and, consequently – there are no reasons which would preclude affording priority to the Controller’s interests.

The consequences of automated processing of personal data will be exclusively the diversification of marketing messages addressed to the Users, depending on the activities they have undertaken on the Website. In connection with the above, it is possible that certain commercial discounts will be provided only to a limited group that met certain conditions set by the Controller. As a consequence, it will result in the unavailability of certain discounts and campaign for other Users.

In connection with the above, Users shall have additional rights, specifically referred to in section X.

VII. Processing of children’s personal data

To take advantage of Services, a User must be at least 16 years of age or obtain consent from a person exercising parental authority or guardianship over the child. The Controller does not intend to consciously collect any personal data from children under 16 years of age without obtaining consent of a parent or guardian.

VIII. Data recipients

Users’ personal data may be disclosed by the Controller to other entities. Depending on the circumstances, such entities may be under Controller’s instructions as to the purposes and methods of processing such data (processors), or independently establish the purposes and methods of processing Users’ personal data (controllers). The Controller shares Users’ personal data with the following categories of recipients:

  1. Affiliates
    Users’ personal data may be disclosed to the Controller’s affiliates, in particular its subsidiaries: PickPack.cz [•] / PickPack S.A., PickPack Sp. z o.o. with its registered office in Warsaw (KRS: 704006) and PickPack Spółka z ograniczoną odpowiedzialnością Sp. k with its registered office in Warsaw (KRS: 720033). Such affiliates shall apply the same protective measures in relation to the personal data, as well as the terms and purposes of their processing, as the Controller, and with regard to the disclosed data they shall act as controllers or processors.

    Location. Affiliates are mainly domiciled in Poland and other countries of the European Economic Area (EEA).

  2. Service Providers
    Users’ personal data may be disclosed to entities which provide to the Controller services supporting its activities, e.g. to suppliers of marketing tools, accountants, legal advisors.

    Processors The Controller takes advantage of services by entities processing Users’ personal data only upon its request. Those include, among others, providers of hosting services, drive space in a cloud, marketing systems (e.g. for distribution of newsletters and other emails), systems analyzing Website traffic or effectiveness of marketing campaigns, etc.

    Presently, the Controller cooperates with the following Service Providers which are personal data processors:

    • Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, United States of America, contact: https://aka.ms/privacyresponse
    • Hotjar Limited, Level 2, St Julian’s Business Centre, 3, Elia Zammit Street, St Julian’s STJ 1000, Malta, e-mail: support@hotjar.com;
    • Asana, Inc., 1550 Bryant Street, San Francisco, CA 94103, United States of America, e-mail: privacy@asana.com;
    • Slack Technologies, Inc., 155 5th Street, 6th Floor, San Francisco, CA 94103, United States of America, e-mail: dpo@slack.com;
    • Twilio Ireland Limited, 25-28 North Wall Quay, Dublin 1, Ireland, e-mail: privacy@twilio.com;
    • Marcin Borecki, 3 Maja 13/8, 42-700 Lubliniec, NIP (tax identification number) 5751841091

    Controllers. The Controller uses also services of entities that do not act exclusively on its instruction and by themselves establish the purposes and methods of utilization of Users’ personal data. These are entities which mainly provide services of remarketing campaigns and undertake statistical research.

    Currently, the Controller cooperates with the following Service Providers which are personal data controllers:

    • Google LLC
    • Facebook Ireland Limited,
    • Główny Urząd Statystyczny (Poland), to the extent of the service BIR-1 (Baza Internetowa REGON 1), provided through API.

    Location. Service Providers are domiciled both in Poland and other countries of the European Economic Area (EEA). However, some of the Service Providers may be domiciled outside the EEA. In connection with personal data transfers outside the EEA, the Controller attended that service providers guarantee high level of personal data protection. Such guarantees follow in particular from participation in the "Privacy Shield" program put in place under the implementing decision of the Commission (EU) 2016/1250 of 12 July 2016 on the adequacy of protection afforded by the EU-US Privacy Shield. A User may obtain by email a copy of the personal data transferred from the Controller to a third country, in the same way as he may request access to personal data. Where the above requirement has not been fulfilled, the Controller shall ensure compliance of the data processing with the GDPR by obtaining User consent to such transfer, and in the absence of such consent – exclusion of the personal data of such User from transfers to a third country.

  3. Persons authorized by the Controller to process data
    The Controller shall disclose personal data to all persons authorized by the Controller to process data on its behalf, which follows from the fact that on everyday basis these are people that are responsible for the Controller’s actions. :)

  4. State authorities
    Personal data are disclosed also when authorized state authorities so request, in particular organizational units of the prosecutor’s office, the Police, or the supervision authority responsible for data protection issues (President of the Data Protection Authority (Úřad pro ochranu osobnych údajů).

IX. Data storage period

Users’ (logged) personal data are stored by the Controller for the entire duration of keeping the Account active in order to perform Services and for marketing purposes. After 2 years following the deletion of the Account, the User’s data shall be subject to pseudonymization, except for the following data: number and properties of orders, shipments and chosen additional features, senders’ and recipients’ addresses, net and gross amounts of orders, shipments and additional features, invoices with attachments thereto. Afted 5 years following the pseudonymization or anonymization, all data shall be erased.

Personal data of Users (non-logged) are stored for a period corresponding to the validity of the cookies saved on their devices and in case Services have been used – until the lapse of the claim expiry period, depending on the type of Services.

X. Rights of data subjects

The Controller shall ensure execution of the above rights to Users by contacting the Controller in one of the ways indicated in section II. Additionally, certain rights may be exercised by Users (logged) by an appropriate change of Settings.

Right to withdraw consent
A User shall have the right to withdraw each consent that he expressed upon registration on the Website, and during the use of Services and Account functions. Withdrawal of consent shall be effective as of the moment of the consent’s withdrawal. Withdrawal of consent shall not affect the processing legally performed by the Controller before such withdrawal.

Withdrawal of consent shall not entail any negative consequences. However, it may disable further use of Services. Withdrawal of consent shall be without prejudice to the processing performed under a legal ground other than consent from the data subject, for instance for the purpose of performing the contract between the Controller and a User.

Legal basis: Art. 7(3) GDPR.

Right of objection to the use of data
A User may, at any time, lodge an objection to the processing of his personal data, including automated processing, and in particular Profiling, where the data are processed on the basis of the Controller’s legitimate interest.

Regardless of the above, a data subject may, at any time, lodge objection to the processing of his personal data for the purposes of direct marketing, including Profiling, insofar as the processing relates to such direct marketing.

Such resignation shall be treated as objection to the processing of personal data, including Profiling, for marketing purposes, and shall guarantee cessation of any further processing for that purpose.

Where the Controller is unable to indicate any other legal ground for the processing of personal data of a User who lodged a complaint which would be precedent to the interests, rights and freedoms of a User or grounds for the establishment, assertion or defense of claims, the Controller shall promptly erase the personal data of such User.

Legal basis: Art. 21 GDPR

Right to data erasure (“right to be forgotten”)
A User may request erasure of all or certain personal data. The request for erasure of all personal data shall be treated as a request to remove the Account.

This right exists if at least one of the following conditions has been met:

  • personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
  • A User withdrew the consent on which the processing was based, and the Controller does not have any other ground for the processing;
  • A User lodged an objection to the processing and there are no precedent legitimate grounds for the processing or a User lodged an objection to the processing of data for direct marketing purposes;
  • personal data was processed contrary to the law;
  • personal data must be erased to achieve compliance with a legal obligation prescribed by applicable legal provisions;

Despite a request for erasure of personal data, in connection with a submission of objection or withdrawal of consent, the Controller may keep certain personal data to the extent necessary for the establishment, assertion or defense of claims. This relates in particular to personal data covering: first name, surname, email address and order history, which data are kept for the purposes of processing complaints and claims relating to the use of Services.

Legal basis: Art. 17 GDPR

Right to restrict data processing
A User may request restriction of processing of his personal data. This right shall exist if at least one of the following conditions is met:

  • the User questions accuracy of the personal data – restriction is made for a period which allows the Controller to verify accuracy of the data;
  • the processing is contrary to law, and the User objects to erasure of the personal data, requesting restriction of their use instead;
  • the Controller no longer needs the personal data for the purposes of processing, but they are necessary to the User for the establishment, assertion or defense of claims;
  • the User lodged an objection to the processing of personal data – restriction is made pending the determination if the Controller’s legitimate interests are precedent to the grounds for the objection of the data subject.

Legal basis: Art. 18 GDPR

Right of access to data
Everyone may obtain confirmation from the Controller whether the Controller processes personal data of any given person, and if so, such person may:

  • gain access to his personal data;
  • obtain information on the purposes of processing, categories of the processed personal data, recipients or categories of recipients of such data, the planned storage period of the personal data or the criteria of determination of such period, on data subject’s rights under the GDPR and the right to lodge a complaint to a supervisory authority, on the sources of such data, automated decision-making, including Profiling, and the securities used in connection with the transfer of such data to a third country;
  • obtain a copy of his personal data.

Legal basis: Art. 15 GDPR

Right to rectify data
A User may rectify or supplement the personal data which he submitted. It is possible to exercise that right in the Account, by an independent change of Settings and verification of the scope of the data submitted in the Account.

As regards personal data which cannot be accessed from the Account, a User may request from the Controller rectification of that data (if inaccurate) or their supplementation (if incomplete).

Legal basis: Art. 16 GDPR

Right to data portability
A User may receive his personal data which he submitted to the Controller, and then send them to another personal data controller of his choice.

A User may also request that the personal data be sent by the Controller directly to such another controller as far as this is technically possible.

The Controller sends data as a file in the *.[•] format. This format is in general use, machine-readable and permits the transfer of the received data to another personal data controller.

Legal basis: Art. 20 GDPR

Right to obtain human intervention from the Controller
In each situation of automated processing of personal data (automated decision-making, including Profiling), a User may question the decision made exclusively by automated means, express his opinion about the decision made and request human intervention from the Controller. Human intervention is made by repeated evaluation of the features, factors and premises that have been taken into account in the automated decision-making by a person authorized by the Controller and issuance of a decision other than the previous one or its upholding. With regard to Profiling, the Controller should disregard any personal features and factors that were inferred from the data collected by the Controller, and the decision concluding the human intervention should be made on the basis of the data collected by the Controller which are not an evaluation, analysis or forecast of the data submitted by a User.

This right shall be excluded where such decision does not produce any legal consequences to the User or the impact on his situation is minimal.

However, where the decision made by automated means: (i) is not necessary for the conclusion or performance of a contract between a User and the Controller; (ii) is not permitted by the law of the European Union or the law of a Member State applicable to the Controller which provides for appropriate measures safeguarding rights, freedoms and legitimate interests of a data subject; (iii) is not based on clear consent from a data subject – the manifestation of the above User’s right shall be the right not to be entirely subject to decisions made exclusively by automated means. When a request is submitted in exercise of such right, the Controller shall take all reasonable measures so that the decision-making process is not entirely automated, i.e. to ensure presence of a human factor in at least one of its stages.

Legal basis: Art. 22 GDPR.

XI. Reaction time

If a User, in exercise of the rights specified in section IX, submits an appropriate request to the Controller, the Controller shall promptly consider that request positively or negatively, however, not later than within a month of its receipt. However, if, as a result of a complex nature of the request or number of requests – it is impossible to comply with the monthly deadline, the Controller shall fulfil its obligation to process the request within the following two months, upon prior notification of the circumstances to the User.

XII. Requests and complaints

The Controller invites questions and requests in respect of the processing of Users’ personal data and exercise of their rights.

Each person shall have the right to lodge a complaint with the supervisory authority responsible for issues of personal data protection (President of the Data Protection Authority (PUODO) if such person believes that his right to personal data protection or other rights granted to him under the GDPR have been violated by the Controller.

XIII. Security of personal data

The Controller and entities with whom it cooperates shall make every effort to ensure security to the personal data processed on the Website, including but not limited to, by the use of encrypted data transmission (SSL) during registration and login processes, which ensures protection of the submitted authentication data and considerably hinders interception of the Account by unauthorized systems or persons.

XIV. Amendments to the Privacy Policy

If needed, the Controller may amend or update the Privacy Policy. All amendments or supplementations shall be notified to Users by publication on the Website’s home page of appropriate information or by an email sent to Users.

Back