Controller – SOMETHING RANDOM Spółka Akcyjna, Aleja Tadeusza Kościuszki 17, 90-418 Łódź, Poland.
Personal Data – information relating to a natural person, identified or identifiable by one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity, including device IP, location data, Internet identifier and information collected through cookies and other similar technology.
GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
Website – the website operated by the Controller at https://somethingrandom.com/
User – any natural person visiting the Website or using one or more of the services or functionalities described in the Policy.
PROCESSING OF DATA IN CONNECTION WITH THE USE OF THE WEBSITE
In connection with the User’s use of the Website, the Controller collects data to the extent necessary to provide the individual services offered, as well as information about the User’s activity on the Website. The detailed rules and purposes of processing Personal Data collected during the User’s use of the Website are described below.
PURPOSES AND LEGAL BASIS FOR DATA PROCESSING ON THE WEBSITE
USE OF THE WEBSITE
Personal Data of all persons using the Website (including IP address or other identifiers and information collected through cookies or other similar technologies), are processed by the Controller:
for the purpose of providing services electronically in the scope of making the content collected on the Website available to Users – then the legal basis for processing is the necessity of processing to perform the contract (Article 6(1) point (b) of the GDPR);
for analytical and statistical purposes – then the legal basis for the processing is the Controller’s legitimate interest (Article 6(1) point (f) of the GDPR), consisting in conducting analyses of Users’ activities, as well as their preferences in order to improve the functionalities used and services provided;
for the purpose of possible establishment and exercise of claims or defence against claims – the legal basis for processing is the legitimate interest of the Controller (Article 6(1) point (f) of the GDPR), consisting in the protection of his rights;
for marketing purposes of the Controller and other entities, in particular related to the presentation of behavioral advertising – the principles of processing Personal Data for marketing purposes are described in the MARKETING section.
The User’s activity on the Website, including his/her Personal Data, is recorded in system logs (a special computer program used to store a chronological record of information about events and activities that relate to the IT system used to provide services by the Controller). The information collected in the logs is processed primarily for purposes related to the provision of services. The Controller also processes them for technical, administrative purposes, in order to ensure the security of the IT system and manage this system, as well as for analytical and statistical purposes – in this regard, the legal basis for processing is the Controller’s legitimate interest (Article 6(1) point (f) of the GDPR).
As part of recruitment processes, the Controller expects the transfer of Personal Data (e.g. in a CV or resume) only to the extent stipulated by the provisions of labour law. Accordingly, no broader information should be provided. In the event that the applications sent will contain additional data beyond the scope indicated by the provisions of labour law, their processing will be based on the candidate’s consent (Article 6(1) point (a) of the GDPR), expressed through the unambiguous affirmative action of the candidate sending the application documents. In the event that the applications sent contain information that is not relevant for the purpose of the recruitment, it will not be used or taken into account in the recruitment process.
Personal data are processed:
where the preferred form of employment is a contract of employment – in order to comply with legal obligations relating to the employment process, including primarily the Labour Code – the legal basis for the processing is a legal obligation to which the Controller is subject (Article 6(1) point (c) of the GDPR read together with the provisions of labour law);
where the preferred form of employment is a civil law contract – in order to conduct the recruitment process – the legal basis for the processing of the data contained in the application documents is taking steps at the request of the data subject prior to entering into a contract (Article 6(1) point (b) of the GDPR);
for the purpose of conducting the recruitment process in respect of data not required by law or by the Controller, as well as for the purpose of future recruitment processes – the legal basis for processing is consent (Article 6(1) point (a) of the GDPR);
for the purpose of verifying the qualifications and skills of the candidate and determining the conditions of cooperation – the legal basis for data processing is the legitimate interest of the Controller (Article 6(1) point (f) of the GDPR). The Controller’s legitimate interest is verifying the candidates for the job and determining the conditions of possible cooperation;
for the purpose of possible establishment and exercise of claims by the Controller or defence against claims made against the Controller – the legal basis for data processing is the Controller’s legitimate interest (Article 6(1) point (f) of the GDPR).
To the extent that Personal Data are processed on the basis of consent given, this consent may be withdrawn at any time, without affecting the lawfulness of the processing carried out before its withdrawal. Where consent has been given for the purposes of future recruitment processes, the Personal Data are deleted after two years – unless consent has been previously withdrawn.
The provision of data within the scope specified in Article 22(1) of the Labour Code is required – in the case of the candidate’s preference for employment based on an employment contract – by the provisions of the law, including in particular the Labour Code, and in the case of the candidate’s preference for employment based on a civil law contract – by the Controller. The consequence of failing to provide this data is that the given candidate cannot be considered in the recruitment process. Provision of other data is voluntary.
OTHER PROCESSES OF PERSONAL DATA PROCESSING
E-MAIL AND REGULAR MAIL
In the case of correspondence sent to the Controller by e-mail or by regular mail, which is not related to the services provided to the sender or to any other contract concluded with the sender, the personal data contained in such correspondence shall be processed solely for the purpose of communication and resolution of the matter to which the correspondence relates.
Personal data are processed for the following purposes:
communication and resolution of the matter – the legal basis for the processing is the legitimate interest of the Controller (Article 6(1) point (f) of the GDPR) consisting in carrying out the correspondence addressed to the Controller in relation to his business activities;
establishment or exercise of possible claims or defence against such claims by the Controller – the legal basis for the processing is the Controller’s legitimate interest (Article 6(1) point (f) of the GDPR) consisting in defending its business interests.
CONTACT BY PHONE
When contacting the Controller by phone on matters not related to the contract concluded or the services provided, the Controller may request the provision of Personal Data only if it is necessary to handle the matter to which the contact relates.
Personal data are processed for the following purposes:
to enable contact and to service the request – the legal basis for the processing is the legitimate interest of the Controller (Article 6(1) point (f) of the GDPR) consisting in the need to resolve the reported matter related to his business activity;
establishment or exercise of possible claims or defence against such claims by the Controller – the legal basis for the processing is the Controller’s legitimate interest (Article 6(1) point (f) of the GDPR) consisting in defending his business interests.
DATA COLLECTION AS PART OF BUSINESS CONTACTS
In connection with his business activity, the Controller collects personal data also in other cases – e.g. during business meetings, events or by exchanging business cards – for the purposes of initiating and maintaining business contacts. The legal basis for the processing in this case is the legitimate interest of the Controller (Article 6(1) point (f) of the GDPR), consisting of networking in connection with the business activity conducted.
The Controller processes the Users’ Personal Data for the purpose of performing marketing activities, which may consist in:
displaying marketing content to the User that is not tailored to the User’s preferences (contextual advertising);
displaying to the User marketing content matching the User’s interests (behavioural advertising).
In order to carry out marketing activities, the Controller in some cases uses profiling. This means that, through automatic data processing, the Controller evaluates the selected factors concerning the Users in order to analyse their behaviour or create a forecast for the future. This allows the content displayed to be better tailored to the User’s individual preferences and interests.
The Controller and his trusted partners process the Users’ Personal Data, including Personal Data collected through cookies and other similar technologies, for marketing purposes in connection with targeting the Users with behavioural advertising (i.e. advertising that is tailored to the User’s preferences). In such a case the processing of Personal Data also includes the profiling of Users.
The Controller processes Personal Data of the Users visiting the Controller’s social media profiles (Facebook). These data are processed exclusively in connection with the managing of the profile, including for the purpose of informing the Users about the Controller’s activities and promoting various events, services and products. The legal basis for the Controller’s processing of Personal Data for this purpose is his legitimate interest (Article 6(1) point (f) of the GDPR) in promoting his own brand.
COOKIES AND SIMILAR TECHNOLOGY
Cookies are small text files installed on the User’s device when browsing the Website. Cookies collect information facilitating the use of the Website – e.g. by remembering the User’s visits to the Website and actions performed by him/her.
The Controller uses essential cookies primarily to provide the User with the services and functionalities of the Website that the User wishes to use. Essential cookies may only be installed by the Controller through the Website.
The legal basis for the processing of data in connection with the use of essential cookies is the necessity of processing to perform the contract (Article 6(1) point (b) of the GDPR).
FUNCTIONAL AND ANALYTICAL COOKIES
Functional cookies are used to remember and adapt the Website to the User’s choices, e.g. in terms of language preferences. Functional cookies may be installed by the Controller and his partners through the Website.
Analytical cookies allow to obtain information such as the number of visits and sources of traffic on the Website. They are used to determine which pages are more and which are less popular, and to understand how Users navigate the Website by keeping statistics on the traffic on the Website. The processing is done for the purpose of improving the performance of the Website. The information collected by these cookies is aggregated, so they are not intended to establish your identity. Functional cookies may be installed by the Controller and his partners through the Website.
The legal basis for the processing of Personal Data in connection with the use of functional and analytical cookies by the Controller, for this purpose, is consent (Article 6(1) point (a) of the GDPR).
The processing of Personal Data in connection with the use of functional and analytical cookies depends on the User’s consent to the use (separately) of functional and analytical cookies through the cookie consent management platform. This consent can be withdrawn at any time through this platform.
Advertising cookies allow matching the advertising content displayed to the User’s interests within and outside the Website. Based on the information from these cookies and the User’s activity on other websites, a profile of the User’s interests is built. Advertising cookies may be installed by the Controller and his partners through our website.
The legal basis for the processing of Personal Data in connection with the use of advertising cookies by the Controller, for this purpose, is consent (Article 6(1) point (a) of the GDPR).
The processing of Personal Data in connection with the use of advertising cookies is allowed after obtaining the User’s consent to the use through the consent management platform. This consent can be withdrawn at any time through this platform.
ANALYTICAL AND MARKETING TOOLS USED BY THE CONTROLLER’S PARTNERS
Google Analytics cookies are the files used by Google to analyse how the User uses the Website, to create statistics and reports on the functioning of the Website. Google does not use the collected data to identify the User, nor does it combine this information to enable identification. The detailed information about the scope and principles of data collection in connection with this service can be found at the following link: https://www.google.com/intl/pl/policies/privacy/partners.
Facebook Pixel is a tool that allows to measure the effectiveness of advertising campaigns carried out by the Controller on Facebook. The tool allows advanced data analytics in order to optimise the Controller’s activities also with the use of other tools offered by Facebook. The detailed information on data processing by Facebook can be found at this link: https://pl-pl.facebook.com/help/443357099140264?helpref=about_content.
Yandex Metrica is a web analytics tool offered by Yandex that tracks and reports on website traffic. It is used to monitor website traffic and measure results from promotional activities conducted. The detailed information about the tool, the data it uses and how it works can be found at this link: https://metrica.yandex.com/about
COOKIES SETTINGS MANAGEMENT
Consent is not required only in the case of cookies, the use of which is necessary for the provision of the telecommunications service (data transmission for the purpose of displaying the content) – the User does not have the possibility to opt out of these cookies if he/she wishes to use the Website.
In order to receive advertising tailored to the User’s preferences, in addition to agreeing to the installation of cookies through the cookie consent management platform, it is necessary to maintain the appropriate browser settings that allow the storage of cookies originating from the Website in the User’s end device.
Withdrawal of consent to the collection of cookies on the Website is possible through the cookie consent management platform. The User can return to the banner by clicking on the „Manage cookies” button below or the button with the same content available in the footer of each sub-page of the Website.
After displaying the banner, the User can withdraw consent by clicking on the „COOKIE SETTINGS” button. Then he/she should move the slider next to the selected cookie category and press the „SAVE SETTINGS” button.
Internet Explorer: https://support.microsoft.com/pl-pl/help/17442/windows-internet-explorerdelete-manage-cookies
Mozilla Firefox: http://support.mozilla.org/pl/kb/ciasteczka
Google Chrome: http://support.google.com/chrome/bin/answer.py?hl=pl&answer=95647
The User can at any time verify the status of his/her current privacy settings for the browser he/she is using with the use of the tools available at the links below:
DURATION OF DATA PROCESSING
The duration of data processing performed by the Controller depends on the type of service provided and the purpose of processing. As a rule, data shall be processed for the duration of the provision of service, until the withdrawal of the consent given or until an effective objection is raised against the data processing in cases where the legal basis for data processing is the legitimate interest of the Controller.
The data processing period may be extended if the processing is necessary for the establishment and exercise of possible claims or defense against claims, and thereafter only if and only to the extent required by law. After the expiry of the processing period, the data shall be irreversibly deleted or anonymized.
DATA SUBJECT RIGHTS
Data subjects shall have the following rights:
the right to be informed about the processing of personal data – on this basis the Controller shall inform the natural person making the request about data processing, including in particular about the purposes and legal basis for processing, the scope of data held, the entities to which the data are disclosed and the planned date of data erasure;
the right to obtain a copy of the data – on this basis the Controller shall provide a copy of the processed data concerning the natural person making the request;
the right to rectification – the Controller is obliged to rectify any inconsistencies or errors in the Personal Data processed and to complete them if they are incomplete;
the right to data erasure – on this basis one can request the erasure of data the processing of which is no longer necessary for any of the purposes for which they were collected;
the right to restrict processing – if such a request is made, the Controller shall cease performing operations on the Personal Data – with the exception of operations authorized by the data subject – and their storage, in accordance with the retention rules adopted or until the reasons for restricting the processing cease to exist (e.g. a decision is issued by a supervisory authority authorizing further processing);
the right to data portability – on this basis – to the extent that the data are processed by automated means in connection with the contract concluded or consent given, the Controller shall hand over the data provided by the data subject in a computer-readable format. It is also possible to request that the data be sent to another entity, provided, however, that it is technically feasible both on the part of the Controller and the designated entity;
the right to object to processing for marketing purposes – if applicable, the data subject may object at any time to the processing of Personal Data for marketing purposes, without the need to justify such objection;
the right to object to other purposes of data processing – the data subject may object at any time, for the reasons relating to his/her particular situation, to the processing of Personal Data which is carried out on the basis of a legitimate interest of the Controller (e.g for reasons relating to the protection of property); the objection in this respect shall contain a justification;
the right to withdraw consent – if the data are processed on the basis of the consent given, the data subject shall have the right to withdraw the consent at any time, which however does not affect the lawfulness of the processing carried out before the withdrawal;
the right to lodge a complaint – if the processing of Personal Data is considered to be in breach of the provisions of the GDPR or other provisions relating to the protection of Personal Data, the data subject may lodge a complaint with the supervisory authority for the processing of Personal Data, which has jurisdiction over the data subject’s habitual place of residence, place of work or place where the alleged breach has been committed. In Poland, the supervisory authority is the President of the Office for Personal Data Protection.
SUBMITTING REQUESTS FOR THE EXERCISE OF RIGHTS
The request concerning the exercise of rights of data subjects can be submitted:
In writing to the Controller’s address;
By means of electronic communication to the e-mail address: [email protected]
The request should, as far as possible, indicate precisely what is being requested, i.e. in particular:
what right does the requesting party wish to exercise (e.g. right to obtain a copy of data, right to data erasure, etc.);
what processing does the request concern (e.g. use of a particular service, activity on a particular website, etc.);
which purposes of the processing does the request concern (e.g. purposes relating to the provision of services etc.).
In the event that the Controller is unable to identify the natural person on the basis of the request submitted, the Controller will request additional information from the requesting party. The provision of such data is not mandatory, but failure to do so will result in the refusal to fulfill the request.
The request may be submitted in person or through a proxy (e.g. a family member). For reasons of data security, the Controller encourages the use of a power of attorney in a form certified by a notary public or an authorized legal advisor or attorney, which will significantly accelerate the verification of the authenticity of the request.
The response to the request should be given within one month of its receipt. If it results necessary to extend this period, the Controller shall inform the requesting party of the reasons thereof.
Where the request has been sent to the Controller by electronic means of communication, the response shall be given in the same form, unless the requesting party has requested a response in another form. In other cases, the response shall be given in writing. In case the deadline for fulfilling the request makes it impossible to respond in writing and the extent of the requesting party’s data processed by the Controller allows the contact by electronic means of communication, the response shall be given electronically.
In connection with the provision of services, Personal Data will be disclosed to the external entities, including in particular the suppliers responsible for the operation of IT systems, the entities such as marketing agencies (with regard to marketing services) and the entities related to the Controller, including companies forming part of his capital group.
In the event of obtaining the User’s consent, his/her data may be also made available to other entities for their own purposes, including marketing purposes.
The Controller reserves the right to disclose selected information concerning the User to the competent authorities or to third parties who submit a request for such information based on the appropriate legal basis and in accordance with the provisions of the applicable law.
TRANSFER OF DATA OUTSIDE THE EEA
The level of protection of Personal Data outside the European Economic Area (EEA) differs from that provided by European law. For this reason, the Controller transfers Personal Data outside the EEA only when necessary and with an adequate level of protection, in particular by:
cooperating with processors of Personal Data in the countries which obtained a relevant decision of the European Commission, determining an adequate level of protection of Personal Data (you will find the detailed information here);
using the standard contractual clauses issued by the European Commission; together with the required additional security measures, these provide the same protection to Personal Data as they enjoy in the European Union; you can find contract templates here;
using the binding corporate rules approved by the competent supervisory authority;
The Controller shall always give notice of its intention to transfer Personal Data outside the EEA at the stage of their collection.
PERSONAL DATA SECURITY
The Controller shall, on an ongoing basis, conduct a risk analysis to ensure that the Personal Data are processed by the Controller in a secure manner – ensuring, in particular, that only the authorized persons have access to the data and only to the extent necessary for the performance of their tasks. The Controller shall ensure that all operations on Personal Data are recorded and performed only by authorized employees and associates.
The Controller shall take all necessary measures to ensure that also its subcontractors and other entities he cooperates with guarantee the application of appropriate security measures whenever they process Personal Data at the Controller’s request.
The Controller can be contacted at the e-mail address [email protected] or correspondence address Aleja Tadeusza Kościuszki 17, 90-418 Łódź, Poland.
The Policy is verified on an ongoing basis and updated as necessary.
The current version of the Policy has been adopted and remains in force since 01.03.2023.
Want to know more, stay in touch, maybe write us a love letter or two? Here are some useful links.
SOMETHING RANDOM 2022