Skip to Main content
Site logo

Privacy

We / the Controller – Next Film sp. z o.o., with its registered office in Warsaw (00-732), ul. Czerska 8/10, entered into the Register of Entrepreneurs maintained by the District Court for the Capital City of Warsaw in Warsaw, 13th Commercial Division of the National Court Register under number KRS: 432663, with a share capital of PLN 1,000,000, NIP: 725-20-61-849.

Personal Data: all information relating to an identified or identifiable natural person who can be identified directly or indirectly by reference to one or more specific factors determining the physical, physiological, genetic, mental, economic, cultural, or social identity of such person, including image, voice recording, contact details, location data, information contained in correspondence, or information collected through recording equipment or similar technology.

Policy: this Personal Data Processing / Transparency Policy.

GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

Data Subject: any natural person whose personal data are processed by the Controller (e.g., our clients, users of our services, visitors to our premises, persons corresponding with us).

PROCESSING OF DATA BY THE CONTROLLER

In connection with its business operations, we collect and process personal data in accordance with applicable laws, in particular the GDPR, and the principles of data processing set out therein.

We ensure transparency in data processing, in particular by always informing data subjects about the processing of their data at the time of collection, including the purpose and legal basis of the processing. We ensure that data are collected only to the extent necessary for the indicated purpose and processed only for as long as necessary.

When processing data, we ensure their security and confidentiality and provide data subjects with access to information about such processing. If, despite the security measures in place, a personal data breach occurs (e.g., data “leak” or loss), we inform the affected data subjects in accordance with applicable regulations.

CONTACT WITH THE CONTROLLER

You can contact us via e-mail at iod@next-film.pl or in writing at ul. Czerska 8/10, 00-732 Warsaw.

We have appointed a Data Protection Officer (Edyta Palak), who can be contacted via e-mail at iod@agora.pl in any matter concerning the processing of personal data.

SECURITY OF PERSONAL DATA

To ensure the integrity and confidentiality of data, we have implemented procedures allowing access to personal data only by authorised persons and only to the extent necessary to perform their duties. We apply organisational and technical measures to ensure that all operations on personal data are recorded and performed only by authorised persons.

We also take all necessary measures to ensure that our subcontractors and other cooperating entities provide adequate guarantees of applying appropriate security measures whenever they process personal data on our behalf.

We conduct ongoing risk analysis and monitor the adequacy of the security measures used to identified risks. Where necessary, we implement additional measures to enhance data security.

PURPOSES AND LEGAL BASES FOR DATA PROCESSING BY THE CONTROLLER

E-mail and postal correspondence

When you send us correspondence by e-mail or traditional mail, the personal data contained in such correspondence are processed solely for the purpose of communication and resolving the matter to which the correspondence relates or matters connected with it.

The legal basis for the processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR), consisting in conducting correspondence related to its business activities.

We process only personal data necessary for the matter to which the correspondence relates. All correspondence is stored securely, ensuring the protection of the personal data and other information it contains, and is disclosed only to authorised persons.

Telephone contact

When contacting us by telephone, we may request personal data only when necessary to handle the matter related to the contact. The legal basis in such a case is the Controller’s legitimate interest (Article 6(1)(f) GDPR), consisting in the necessity to resolve the reported issue related to business operations.

Telephone conversations may also be recorded (of which you are informed at the beginning of the call) for the purpose of resolving the issue, verifying consultants’ work and service quality, and for statistical purposes. Recordings are available only to a limited number of authorised persons.

Personal data in the form of call recordings are processed for the following purposes:

– related to customer and client service through the helpline, where such a service is provided – the legal basis for processing is the necessity of processing for the provision of the service (Article 6(1)(b) GDPR) in connection with our business operations;
– monitoring service quality and verifying the work of helpline consultants – the legal basis for processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR), consisting in ensuring the highest quality of service to clients and customers;
– for the potential establishment or defence of claims related to the matter for which you contact us (Article 6(1)(f) GDPR).

Video surveillance and access control

To ensure the safety of persons and property, the Controller uses video surveillance and controls access to the premises and areas managed by the Controller. Data collected in this way are not used for any other purposes.

Personal data in the form of video recordings and data collected in entry and exit registers are processed to ensure safety and order within the facility and, if necessary, for the defence or establishment of claims. The legal basis for the processing of personal data is the Controller’s legitimate interest (Article 6(1)(f) GDPR).

Recruitment

In recruitment processes, we expect personal data (e.g., in CVs or résumés) to be provided only to the extent specified in labour law provisions. Therefore, you should not provide information beyond that scope. If the submitted applications contain such additional data, they will not be used or considered in the recruitment process or for any other purposes.

Personal data are processed for the following purposes:

– compliance with legal obligations related to the employment process, in particular under the Labour Code – based on Article 6(1)(c) GDPR in connection with the provisions of the Labour Code;
– conducting recruitment in respect of data not required by law and for future recruitment purposes – based on Article 6(1)(a) GDPR;
– establishing or pursuing potential claims or defending against such claims – based on Article 6(1)(f) GDPR.

Collection of data in connection with the provision of services or the performance of other contracts

When collecting data for purposes related to the performance of a specific contract, we provide the data subject with detailed information on the processing of their personal data at the latest at the time of entering into the contract.

Collection of data in other cases

In the course of business operations, we also collect personal data, e.g., during business meetings, industry events, or through business card exchanges – for the purpose of establishing and maintaining business contacts. The legal basis for processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR), consisting in creating a network of contacts in connection with business activities.

Such personal data are processed solely for the purpose for which they were collected, ensuring their appropriate protection.

Information on personal data processed within our online services is included in a separate document titled “Privacy Policy”, available on the website of the respective service.

RIGHTS OF DATA SUBJECTS

The user has the right to access their data and request their rectification, erasure, restriction of processing, data portability, and the right to object to data processing, as well as the right to lodge a complaint with the supervisory authority responsible for personal data protection. Where the user’s data are processed based on consent, such consent may be withdrawn at any time by contacting the Controller through the communication channels indicated above in this Policy in the section titled “Contact with the Controller”.

Right to object

The user has the right to object at any time to the processing of their data for direct marketing purposes, including profiling, if the processing is carried out in connection with the Controller’s legitimate interest.
The user also has the right to object at any time to the processing of their data on grounds relating to their particular situation, in cases where the legal basis for data processing is the Controller’s legitimate interest (e.g., in connection with analytical and statistical purposes, including profiling).
An objection to data processing may be submitted through the communication channels indicated above in this Policy in the section titled “Contact with the Controller”.

DATA RECIPIENTS

In connection with the provision of services, personal data will be disclosed to external entities, in particular to providers responsible for the operation of IT systems used to provide services, entities such as banks and payment operators, research companies, accounting service providers, couriers (in connection with order fulfilment), marketing agencies (in the scope of marketing services), and entities affiliated with the Controller, including companies within its capital group.
Where the user’s consent is obtained, their data may also be shared with other entities for their own purposes, including marketing purposes.
The Controller reserves the right to disclose user-related information to competent authorities or third parties requesting such information based on an appropriate legal basis and in accordance with applicable law.

TRANSFER OF DATA OUTSIDE THE EUROPEAN ECONOMIC AREA

The level of protection of personal data outside the European Economic Area (EEA) differs from that provided by European law. For this reason, the Controller transfers personal data outside the EEA only when necessary and with an adequate level of protection ensured, primarily through:
• cooperation with data processors located in countries for which the European Commission has issued an adequacy decision;
• application of standard contractual clauses issued by the European Commission;
• application of binding corporate rules approved by the competent supervisory authority.
The Controller always informs data subjects about the intention to transfer their personal data outside the EEA at the time of collection.

SOCIAL MEDIA

We process personal data of users visiting our profiles maintained on social media platforms (Facebook, Instagram, Twitter, LinkedIn, YouTube). Such data are processed solely in connection with the operation of the profile, including informing users about our activities and promoting various events, services, and products. The legal basis for processing personal data for this purpose is our legitimate interest (Article 6(1)(f) GDPR), consisting in promoting our own brand.

Our websites use social media plug-ins. Plug-ins allow the user, among other things, to share content published on our websites on a selected social media platform. The use of plug-ins results in the relevant social network receiving information about the user’s interaction with our website and may associate it with the user’s profile on that platform.

Where we use the Facebook Audience Insights tool (e.g., by placing a “Like” or “Share” plug-in on the website), joint controllership of users’ personal data occurs between us and Facebook Ireland Limited.

More information about Facebook Audience Insights and the arrangements between joint controllers (including the scope of their responsibilities) can be found at: LINK