Privacy policy

PRIVACY POLICY

1. DEFINITIONS
Data Controller/Controller: Next Film sp. z o.o. with its registered seat in Warsaw (00-732), ul. Czerska 8/1, entered in the register of entrepreneurs of the National Court Register kept by the District Court for the capital city of Warsaw in Warsaw, 13th Commercial Division of the National Court Register, under KRS No 59944, share capital: PLN 1000 000.00, Tax Identification Number (NIP): 526-030-56-44.
Personal Data/Data: any information relating to a natural person who is identified or identifiable by reference to one or more factors specific to physical, physiological, genetic, psychological, economic, cultural or social identity of the natural person, including device IP number, location data, online ID and information collected by means of cookie files or a similar technology.
Policy: this Privacy policy.
GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of the 7th of April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
Website: website published by the Controller to which this Policy applies, i.e.: http://www.next-film.pl/.
User/You: any natural person visiting the Website or using one or more features available on the Website.

2. THE PURPOSES AND LEGAL GROUNDS FOR DATA PROCESSING ON THE WEBSITE

2.1. USE OF THE WBSITE
Personal data of all persons using the Website (including IP address or other identifiers or information collected by means of cookie files or other similar technologies) is processed by the Controller:
 for the purpose of electronic provision of services involving sharing the content collected on the Website with the Users – then the legal grounds for processing shall be the necessity of processing for the performance of a contract (Article 6, paragraph 1, letter b of the GDPR);
 for analytical and statistical purposes – then the legal grounds for processing shall be the Controller’s legitimate interest (Article 6, paragraph 1, letter f of the GDPR), consisting in the conduction of analyses of the User activity and preferences, in order to improve the employed features and provided services;
 in order to establish, exercise or defend against any potential claims – the legal grounds for the processing shall be the Controller’s legitimate interest (Article 6, paragraph 1, letter f of the GDPR), consisting in the protection of its rights.
The User activity on the Website, including his or her personal data, is recorded in systems logs (a special computer program that stores chronological records containing information about events and activities in the IT system which are used by the Controller to provide services). Information contained in the logs is processed mainly for the purpose of service provision. The Controller also processes the data for technical and administrative purposes, to administer the IT system and ensure its security, as well as for analytical and statistical purposes – the legal grounds for processing in this respect shall be the Controller’s legitimate interest (Article 6, paragraph 1, letter f of the GDPR).

2.2. SOCIAL NETWORKING WEBSITES
The Controller processes personal data of the Users visiting the Controller’s social media profiles (Facebook, YouTube, Instagram). The data is processed only in connection with running the profile, including to inform the Users about the Controller’s activity and promotion of various events, services and products related to the Controller’s activity, as well as with replying to short inquiries received via Facebook messenger. The legal grounds for the Controller’s processing of personal data for this purpose shall be the Controller’s legitimate interest (Article 6. Paragraph 1, letter f of the GDPR), consisting in promotion of own brand, as well as in the necessity to process in order to satisfy an obligation (Article 6, paragraph 1, letter b of the GDPR) in the scope in which the inquiries received via Facebook messenger concern a complaint.

2.3. COOKIES AND SIMILAR TECHNOLOGIES
Cookie files are small text files installed on a device of the User who browses the Website. Cookies usually contain the name of the website domain from which they come from, the time of their storage on an end device and a unique number. Information relating to cookies contained in this Policy also applies to other similar technologies used by the Website.
2.3.1. “Service” cookies
The Controller uses the so-called service cookies first and foremost in order to provide the User with services by electronic means and to improve the quality of the services. Therefore, the Controller and other entities providing analytical and statistical services on its behalf use cookies by storing information or by accessing information which is already stored in a telecommunications end device of the User (computer, telephone, tablet, etc.).
Cookies used for this purpose include:
 User input cookies (session identifier) for the duration of a session;
 authentication cookies used for services which require authentication for the duration of a session;
 User-centric security cookies, e.g. used for detection of authentication frauds;
 multimedia player session cookies (e.g. flash player cookies) for the duration of a session;
 User interface customization cookies for the duration of a session or for a slightly longer period;
 cookies used for web page traffic monitoring, i.e. for data analytics.
2.3.2. “Marketing” cookies
The Controller may also use cookies for marketing purposes. To this end, the Controller may store information and access information which is already stored in a telecommunications end device of the User (computer, telephone, tablet, etc.). The use of cookie files and personal information collected by means of cookies for marketing purposes, especially as far as the promotion of third-party services and products is concerned, requires the User’s consent. The consent may be withdrawn at any time, but the withdrawal will not affect the lawfulness of the marketing profiling prior to said withdrawal.

3. P ERSONAL DATA PROCESSING PERIOD
The period of the processing of data by the Controller depends on the type of service provided and the purpose of processing. In general, data is processed for a period of service provision or order execution, until the User has withdrawn his or her consent or effectively objected to the processing of data.
The period of the processing of data may be extended if the processing is necessary to establish, exercise or defend against any potential claims, and, after the period, only if – and as far as – required by laws.

4. USER RIGHTS
The User has the right to access the content of data and to request its rectification, erasure or restriction of processing, the right to data portability, and the right to object to the processing, as well as the right to file a complaint with a supervisory authority competent for personal data protection.
To the extent that the User data is processed on the basis of consent, the consent may be withdrawn at any time by contacting the Controller via means mentioned in Section 9 of this Policy.

5. THE RIGHT TO OBJECT
The User may at any time object to the processing of his or her data for reasons related to his or her specific situation, in cases where the Controller’s legitimate interest serves as the legal grounds for data processing.
More information about the rights arising from the GDPR can be found in the Personal Data Processing Policy (Transparency Policy), which is available here.

6. DATA RECIPIENTS
In connection with the performance of services, personal data will be disclosed to external entities, including, in particular, providers responsible for operation of the IT systems used to provide services; to the entities such as banks, payment operators, research companies, providers of accounting services, couriers (in connection with order execution), marketing agencies (in connection with marketing services); and to the Controller’s affiliates, including companies in its capital group.
If the User has given consent, his or her data may also be made available to other entities for their own purposes, including marketing purposes.
The Controller reserves the right to disclose information concerning the User to the competent authorities or to third parties who request to be provided with such information, on the basis of appropriate legal grounds and in line with applicable laws.

7. TRANSFER OF DATA OUTSIDE THE EUROPEAN ECONOMIC AREA
The level of Personal Data protection outside the European Economic Area (EEA) varies from the level provided by European laws. For this reason, the Controller transfers personal data outside the EEA only when necessary and with appropriate protection level provided, primarily through:
• co-operation with personal data processing entities in the countries for which a relevant decision of the European Commission was issued;
• application of standard contractual clauses issued by the European Commission;
• application of binding corporate rules approved by the competent supervisory authority;
• in the case of transferring data to the USA – co-operation with entities participating in the Privacy Shield scheme approved by decision of the European Commission.
The Controller always communicates its intention to transfer personal data outside the EEA at the collection stage.

8. SECURITY OF PERSONAL DATA
The Controller analyses risk on an ongoing basis in order to ensure that personal data is processed by it in a secure manner which, first and foremost, guarantees that data can only be accessed by authorised persons and only within such scope as is necessary because of their tasks. The Controller ensures that all operations on personal data are recorded and carried out by authorised employees and collaborators exclusively.
The Controller takes all necessary actions to cause its subcontractors and other collaborators to guarantee the application of appropriate security measures every time they process personal data at the Controller’s request.

9. CONTACT DETAILS
The Data Controller can be contacted via e-mail at biuro@next-film.pl or by means of traditional mail addressed to: Next-Film, ul. Czerska 8/10 00-732 Warszawa.
The Data Controller has appointed a Data Protection Inspector who can be contacted via e-mail at iod@agora.pl in any matter pertaining to the processing of your personal data.

10. AMENDMENTS TO THE PRIVACY POLICY
This Policy is reviewed on an ongoing basis and updated when needed. The current version of the Policy was adapted on and has been in force since the 18th of May 2018.