Data Controller/Controller: Next Film sp. z o.o. with its registered seat in Warszawa (00-732), ul. Czerska 8/10, entered in the register of entrepreneurs kept by the District Court for the capital city of Warsaw in Warsaw, 13th Commercial Division of the National Court Register, under KRS No 432663, share capital: PLN 1 000 000.00, Tax Identification Number (NIP) 725-206-18-49.
Personal Data/Data: any information relating to a natural person who is identified or identifiable by reference to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, including image, voice recording, contact data, location data, information contained in correspondence, information collected by means of recording equipment or any other similar technology.
Policy: this Transparency Policy on Personal Data Processing.
GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of the 7th of April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC.
Data Subject: every natural person whose Personal Data is processed by the Controller (e.g. clients, the persons who use services provided by the Controller, who visit the Controller’s premises or who maintain correspondence with the Controller).
THE PROCESSING OF DATA BY THE CONTROLLER
In connection with its economic activity, the Controller collects and processes Personal Data in line with relevant regulations, particularly with the GDPR and the data processing rules set out therein.
The Controller ensures transparency of data processing, in particular by always notifying, when collecting the data, that the data will be processed. The Controller always makes sure that the data is collected only in such scope as is necessary for the specified purpose, and that it is processed within the necessary timeframe only.
When processing the data, the Controller ensures data security and confidentiality, and facilitates access to the information on said processing for Data Subjects. Should a Personal Data breach (e.g. a “leak” or loss of data) occur despite the security measures applied, the Controller shall, in a manner compliant with regulations, notify the Data Subjects whose data has been breached.
CONTACTING THE DATA CONTROLLER
The Controller can be contacted via e-mail at firstname.lastname@example.org or by means of traditional mail addressed to: Next-Film, ul. Czerska 8/10, 00-732 Warszawa.
The Data Controller has appointed a Data Protection Inspector who can be contacted via e-mail at email@example.com in any matter pertaining to the processing of Personal Data.
SECURITY OF PERSONAL DATA
In order to ensure the integrity and confidentiality of data, the Controller has implemented procedures which allow access to Personal Data only to authorised persons, and only within such scope as is necessary because of their tasks. The Controller applies organizational and technical solutions to ensure that all operations on Personal Data are registered and performed only by authorised persons.
Furthermore, the Controller takes all necessary actions to cause its subcontractors and other collaborators to guarantee the application of appropriate security measures every time they process Personal Data at the Controller’s request.
The Controller analyses risk on an ongoing basis and monitors the adequacy of applied data safeguards to identified threats. If necessary, the Controller implements additional measures to increase the security of data.
PURPOSES AND LEGAL BASIS FOR THE PROCESSING OF DATA BY THE CONTROLLER
E-mail and traditional mail
When an e-mail or traditional mail is sent to the Controller, the Personal Data contained in such correspondence is processed only to communicate and to deal with the matter to which that correspondence pertains.
The legal basis for processing consists in the Controller’s legitimate interest (Article 6, paragraph 1, letter f of the GDPR), which involves exchanging correspondence addressed to the Controller in connection with the economic activity.
The Controller processes only such Personal Data as is relevant to the matter to which the correspondence pertains. The entire correspondence is kept in a manner that ensures the security of the Personal Data contained therein as well as of other information, and is disclosed only to authorised persons.
Contact by phone
When contacted by telephone, the Controller may only demand Personal Data when this is necessary for handling the matter to which the telephone call pertains. In such case, the legal grounds for processing shall be the Controller’s legitimate interest (Article 6, paragraph 1, letter f of the GDPR), consisting in the necessity of handling a reported matter related to the Controller’s economic activity.
Additionally, telephone calls may be recorded (the information about this is provided when the call is answered) in order to handle the matter, to assess the work of the telephone consultants and the quality of service, as well as for statistical purposes. The recordings are available to a limited group of persons.
Personal Data in the form of a phone-call recording is processed:
for the purposes related to the client and customer service via hotline when the Controller provides such service – the legal grounds for processing shall be the necessity to process in order to provide the service (Article 6, paragraph 1, letter b of the GDPR) related to the Controller’s economic activity;
in order to monitor the quality of service and to assess the work of the telephone consultants who operate the hotline – the legal grounds for processing shall be the Controller’s legitimate interest (Article 6, paragraph 1, letter f of the GDPR), focused on ensuring the highest quality of service to clients and customers;
in order to vindicate or defend against any potential claims related to the matter the caller has contacted the Controller about (Article 6, paragraph 1, letter f of the GDPR).
Visual monitoring and access control
In order to ensure the safety of people and property, the Controller uses visual monitoring and controls the access to the premises and area managed by the Controller. The data collected in this way is not used for any other purposes.
Personal Data in the form of visual monitoring recordings and the data collected in the register of entries and exits is processed to ensure security and order in the facility area, and to vindicate or defend against any potential claims. The legal grounds for processing shall be the Controller’s legitimate interest (Article 6, paragraph 1, letter f of the GDPR).
As a part of recruitment processes, the Controller expects to be provided with Personal Data (such as CV) only to the extent set out in labour code. Therefore, information in any broader scope should not be provided. Whenever received applications contain this kind of additional data, such data will not be used or taken into consideration in the recruitment process nor used to any other end.
Personal Data is processed:
in order to satisfy the legal obligations related to the process of employment, including, first and foremost, the labour code – based on Article 6, paragraph 1, letter c of the GDPR in connection with the regulations of the labour code;
in order to carry out the recruitment process with respect to the data not required by law, and for the purpose of future recruitment processes – based on Article 6, paragraph 1, letter a of the GDPR;
in order to determine or vindicate any potential claims or defend against such claims – based on Article 6, paragraph 1, letter f of the GDPR.
The collection of data in connection with the provision of services or the performance of other contracts
If Personal Data is collected for the purposes related to the performance of a specific contract, the Controller shall provide the Data Subject with detailed information concerning the processing of his or her Personal Data no later than upon the conclusion of that contract.
The collection of data in other situations
In connection with the economic activity, the Controller collects Personal Data in other situations – e.g. during business meetings, at industry events or by means of business card exchange – for purposes related to the establishment and maintenance of business contacts. In such case, the legal grounds for processing shall be the Controller’s legitimate interest (Article 6, paragraph 1, letter f of the GDPR), consisting in the building of a contact network in connection with the economic activity.
The Personal Data collected in aforementioned situations is processed solely for the purpose in which it was collected and with the application of an appropriate level of protection.
In connection with the economic activity which requires the processing of Personal Data, said data may be disclosed to external entities, including providers responsible for the operation and service of the IT systems and hardware, providers of legal and accounting services, couriers, marketing and recruitment agencies. The data shall also be disclosed to the Controller’s affiliates, including companies in its capital group. More information on the Controller’s capital group can be found at: https://www.agora.pl/grupa-agora.
Any potential disclosure or transfer of Personal Data to the competent authorities or to third parties, who request to be provided with such information, may only occur on the basis of appropriate legal grounds and in line with applicable laws.
TRANSFER OF DATA OUTSIDE THE EUROPEAN ECONOMIC AREA
The level of Personal Data protection outside the European Economic Area (EEA) varies from the level provided by European laws. For this reason, the Controller transfers personal data outside the EEA only when necessary and with appropriate protection level provided, primarily through:
• co-operation with personal data processing entities in the countries for which a relevant decision of the European Commission was issued;
• application of standard contractual clauses issued by the European Commission;
• application of binding corporate rules approved by the competent supervisory authority;
• in the case of transferring data to the USA – co-operation with entities participating in the Privacy Shield scheme approved by decision of the European Commission.
The Controller always communicates its intention to transfer personal data outside the EEA at the collection stage.
TIME LIMIT FOR THE PROCESSING OF PERSONAL DATA
The time limit for the processing of data by the Controller depends on the purpose of processing and may also result from legal regulations, when such regulations form the basis for the processing. If the data is processed on the basis of the Controller’s legitimate interest, it shall be processed for a period required to accomplish that interest or until an effective objection is filed with respect to the data processing. If the processing is based on a consent, the data is processed until the consent is withdrawn. When the processing is based on the data being needed to conclude and perform a contract, such data will be processed until the termination thereof.
The time limit for data processing may be extended if the processing is necessary to determine, vindicate or defend against any possible claims, and after that time limit — only if and to the extent required by law. After the end of the time limit for processing, the data is irrevocably removed or anonymised.
RIGHTS RELATED TO THE PROCESSING OF PERSONAL DATA
Data Subjects’ Rights
Data Subjects have the following rights:
• The right to information about Personal Data processing – any Data Subject who makes such a demand is provided with information about data processing, including, first and foremost: the purposes of and legal basis for the processing, the scope of the collected data, the entities to whom the data is disclosed and the planned date of data removal;
• The right to receive a copy of the data – the Controller shall provide a copy of the processed data concerning the Data Subject who made the demand;
• The right to correction – upon the demand of a Data Subject the Controller shall remove any possible inconsistencies or errors in the Data Subject’s personal data and shall supplement the data if incomplete;
• The right to erasure of data – it is possible to demand the erasure of personal data when the processing of said data is no longer essential for the fulfillment of any of the objectives for which the data was collected.
• The right to restriction of processing – if such a demand is made, the Controller shall cease any operations on the personal data as well as stop storing said data until the reasons for restrictions on data processing expire (e.g. upon a decision issued by a supervisory authority, permitting further processing of the data);
• The right to data portability – within such scope as the data is processed in connection with a signed contract or a received consent, the Controller shall release the data provided by the Data Subject in a machine-readable format. It is also possible to demand that such data be sent to another entity – provided, however, that both the Controller and said other entity have technical capability in that respect;
• The right to object against the processing of data for direct marketing purposes – the Data Subject can at any time object to the processing of his or her personal data for direct marketing purposes with no need to provide any rationale for such an objection;
• The right to object against the processing of data for other purposes – the Data Subject can at any time object to the processing of his or her data for reasons related to his or her specific situation, as long as the Controller’s legitimate interest serves as the legal grounds for data processing (i.e. for analytical or statistical purposes or for reasons related to property protection, based on Article 6, paragraph 1, letter f of the GDPR). This kind of objection should be substantiated;
• The right to withdraw consent – if the data is processed upon the basis of received consent, the Data Subject may withdraw such consent at any time, which, however, does not affect the lawfulness of processing done before said withdrawal of consent;
• The right to file a complaint – should the Data Subject decide that the processing of his or her personal data violates the GDPR or other regulations on Personal Data protection, he or she can file a complaint with the President of the Office of Personal Data Protection (Prezes Urzędu Ochrony Danych Osobowych).
Submitting demands and applications related to the execution of rights
An application/demand may be submitted as follows:
in writing to the address: Next Film sp. z o. o., ul. Czerska 8/10, 00-732 Warszawa;
via e-mail directed to: firstname.lastname@example.org or to other relevant e-mail addresses provided by the Controller.
In order to make service more efficient, the applicant is asked to precisely specify as to what his or her application/demand refers to, for example:
specify the right the applicant wishes to exercise (e.g. the right to receive a copy of the data, the right to data erasure, etc.);
specify the processing process the demand pertains to (e.g. the use of a specific service, the activity on a specific Internet website, newsletter subscription etc.);
specify the processing purposes the demand pertains to ( e.g. marketing purposes, analytical purposes, etc.).
Should the Controller be unable to determine the content of the demand or identify the applicant by means of the received application, it will request additional information from the applicant. The Controller’s reply ought to be given within one month of receipt of the application. If this time limit needs to be extended, the Controller shall notify the applicant of the reasons for such extension.
The reply will be given in writing, unless the application/demand was submitted via e-mail or contained a demand to give the reply in an electronic form. Should any doubt concerning the identity of the applicant arise, the Controller reserves the right to verify said identity.
The principles of charging
The procedure concerning the submitted applications is free of charge. Charges may be collected only when:
a demand to release a second and every following copy of the data is made (the first copy of the data is free); in such case, the Controller may request a fee of PLN 30 (thirty Polish zloty) to be paid.
This fee covers the administration costs related to the fulfillment of the demand.
the same Person makes excessive (e.g. unusually frequent) demands or obviously unfounded demands; in such case, the Controller may request a fee of PLN 30 (thirty Polish zloty).
This fee includes the costs of communications and costs related to the demanded actions.
Should the Data Subject wish to challenge the decision to charge a fee, he or she can file a complaint to the President of the Office of Personal Data Protection (Prezes Urzędu Ochrony Danych Osobowych).
AMENDMENTS TO THE PERSONAL DATA PROCESSING POLICY
This Policy is reviewed on an ongoing basis and updated when needed. The current version of the Policy has been in force since the 25th of May 2018.