Personal data processing takes place in accordance with the provisions of the Regulation of the European Parliament and the Council (EU) 2016/679 of 27 April 2023 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal EU L no. 119), hereinafter referred to as GDPR, and the Act on providing services by electronic means and other applicable regulations.
Personal Data Controller
The Data Controller shall be: H88 S.A. with its registered seat in Poznań, ul. Franklina Roosevelta 22, 60-829 Poznań, entered in the National Court Register by the District Court for Poznań – Nowe Miasto i Wilda in Poznań, VIII Commercial Division of the National Court Register under KRS no. 0000612359, REGON 364261632, NIP 7822622168, initial capital of PLN 215,228.00 paid up in whole.
Contact details of the Data Controller: ul. Franklina Roosevelta 22, 60-829 Poznań, e-mail: [email protected], phone: +48 12 446 63 77
Data Protection Officer
The Data Protection Officer for the Data Controller shall be Dariusz Sikorski (hereinafter DPO) who can provide more information on the rights of the person and their personal data at the e-mail address:
Voluntary personal data sharing
The Provider would like to inform that unless it is stipulated otherwise in particular forms (e.g. indicating the data sharing is voluntary), the Provider’s services cannot be used anonymously or by means of an alias. Consequently, any refusal to share the personal data can entail refusal to execute an agreement and provide the ordered service.
To create a customer’s account to order the Provider's service, it is required to create a login and provide:
For an individual not running their business activity | For an entrepreneur |
|
|
Types of processed data, purposes, legal grounds for data processing by the Provider and the anticipated period of storage
Data type | Processing purpose | Legal grounds | Storage period |
Mandatory data Contact details of the Customer's personnel (including name and surname, e-mail address, phone number) | Keeping the customer’s account on the website, provision of the ordered services, ensuring contact in connection with service provision | Article 18 section 1 of the Act on providing services by electronic means Article 6 section 1 item b) GDPR (mandatory for the agreement performance) | Until the customer’s account is deleted |
Pursuit or defence of claims | Article 6 section 1 item f) GDPR (legitimate interest) | Until the expiry of the claims’ limitation period | |
Marketing and direct marketing of the Controller’s products or services, including e.g. the Customer’s satisfaction survey etc. | Article 6 section 1 item f) GDPR (legitimate interest) | Until any objections are made pursuant to Articles 21–22 GDPR | |
Sending commercial information by electronic means (advertising e-mails and SMSes), making telephone calls to present promotional or customised offers | Article 6 section 1 item a) GDPR in connection with Article 172 section 1 of the Telecommunications Law and Article 10 section 2 of the Act on providing services by electronic means (Consent) | Until the consent is revoked or any objections are made pursuant to Articles 21–22 GDPR | |
Data required because of the selected service settlement method, including but not limited to: Details of the bank account used to make the payment Data included in the issued bills (VAT invoices) Data of the ordered and performed services (order history) | Settlement of the provided services | Article 18 section 2 of the Act on providing services by electronic means Article 6 section 1 item b) GDPR (mandatory for the agreement performance) | Until the expiry of the claims’ limitation period or the termination of the obligation when the accounting documents need to be retained |
Fulfillment of legal obligations concerning accounting and bookkeeping | Article 6 section 1 item c) GDPR (fulfillment of legal obligations concerning accounting) | ||
Pursuit or defence of claims | Article 6 section 1 item f) GDPR (legitimate interest) | ||
Data included in any communication with the Data Controller (in any filled-in contact forms, application system, e-mail, chat application, traditional communication) Telephone call recordings | Communication, handling applications, requests, inquiries or complaints. Disclosing the content of any statements or requests made by the person | Article 6 section 1 item c) GDPR (fulfillment of legal obligations concerning responding to the data subjects’ requests) Article 6 section 1 item f) GDPR (legitimate interest) | Until the expiry of the claims’ limitation period |
Pursuit or defence of claims | Article 6 section 1 item f) GDPR (legitimate interest) | ||
Data characterising the way of using a service provided electronically (operating data): Identification no. ascribed to the person based on the data held Numbers identifying the telecommunications network terminal or an IT system used by the person Information on starting, ending and scope of every use of the service provided by electronic means Information that the customer used services provided by electronic means | Ensuring service quality parameters and optimisation Ensuring safety measures Handling inquiries Determining any prohibited use of the service and sharing data with authorised bodies | Article 18 section 5–6 of the Act on providing services by electronic means Article 6 section 1 item f) GDPR (legitimate interest) | Up to 6 months With respect to any data concerning access to the customer’s panel and placement of orders, instructions or requests — throughout the service term, and later until the expiry of the claims’ limitation period. |
All the above-mentioned personal data processed by the Data Controller in the IT systems. | Making and storage of backup copies, ensuring the ability to provide continuous confidentiality, integrity, accessibility and resistance of systems and processing services; ensuring the ability to restore the accessibility of personal data and access to them quickly in the case of any physical or technical incident. | Article 6 section 1 item c) in connection with Article 32 section 1 items b) and c) GDPR (fulfillment of legal obligations related to ensuring data security, integrity and accessibility) | Compliant with the internal backup copy schedule |
Right to withdraw the agreement
If the Data Controller processes personal data based on a consent, such a consent can be withdrawn any time. The consent withdrawal does not affect the legitimacy of processing carried out before the withdrawal.
Rights of the data subject related to their personal data processing
The data subject shall have the following rights concerning their personal data:
Right to access the data | Article 15 GDPR. Essence of the law: The Data Subject shall be entitled to obtain a confirmation their personal data is processed from the Data Controller and if so they shall be entitled to access it and the information provided in the said provision. |
Right to have the data corrected and complemented | Article 16 GDPR Essence of the law: The Data Subject shall be entitled to request the Data Controller to correct their personal data immediately if it is incorrect. Based on the processing purposes, the Data Subject shall be entitled to request that any incomplete personal data is complemented, including by making an additional statement. |
Right to have the data deleted | Article 17 GDPR Essence of the law: The Data Subject shall be entitled to request the Data Controller to delete their personal data immediately and the Data Controller shall be obliged to delete such personal data without undue delay if one circumstance stipulated in the said provision occurs. |
Right to have the data processing restricted | Article 18 GDPR Essence of the law: Processing restriction means marking the personal data kept to restrict its future processing. Given such data marking, its processing, other than storage, is possible solely based on the consent or for purposes stipulated in this provision. Restriction can be demanded in the cases stipulated in this provision. |
Right to have data transferred | Article 20 GDPR Essence of the law: The Data Subject shall be entitled to receive their data submitted by them to the Data Controller in a structured, popular, machine-readable format and also to send such data to another data controller with no objections on the Data Controller’s part |
Right to object | Article 21 GDPR Essence of the law: If the personal data is processed for the purposes of direct marketing, the Data Subject shall be entitled to object to processing their personal data for the purpose of such marketing any time, including profiling, in the scope the processing is connected with such direct marketing. The right to object applies also in other cases stipulated in Articles 21–22 GDPR. |
The Data Subject can exercise the said right by contacting the Data Controller in any way stipulated hereinabove. This refers also to the withdrawal of any consents granted. During remote contact, the Data Controller may request the Data Subject to provide personal data to verify their identity.
Data recipients
The data can be shared with entities commissioned by the Data Controller or providing services for them, including but not limited to:
The data can be also disclosed to:
Data transfer to third countries
As a rule, personal data is not transferred to any third country or international organisation outside the European Economic Area (EEA). However, the transfer can take place in the below-mentioned scope.
Personal data can be transferred outside EEA in connection with the Data Controller’s use of analytical or advertising services provided by Google LLC, including Google Adwords and Google Analytics. In such a case, the data is transferred to the United States of America based on the European Commission decision (the so-called Privacy Shield) ascertaining the appropriate personal data protection degree is ensured for the scheme participants, including for the provider of the said services, Google LLC, Mountain View, California.
The data can be transferred also if any service requiring to transfer personal data to any third country is ordered, i.e. including but not limited to the registration of an Internet domain the register of which is handled by an entity with its seat in a country not belonging to EEA or a SSL certificate handled by such an entity. In such a case the personal data is transferred regardless of whether there was the European Commission ascertaining the appropriate data protection level issued or if there were any other security measures stipulated in Article 46 or 47 GDPR issued for the said third country or international organisation. The data shall be transferred solely in the scope required to perform the ordered service.
Given the fact that it is impossible to specify and describe all the likely situations when personal data can be transferred outside EEA in connection with domain registration, purchase of SSL certificates or ordering any other services offered by the Data Controller in this document (there are more than 1,500 domains, including domestic, international and nTLD ones in the IANA database, the registers of which are frequently kept by separate organisations), the detailed information can be obtained:
What is more, the detailed information on data transfer outside EEA in connection with particular service provision can be obtained from the Data Protection Officer (e-mail address: [email protected]).
Profiling
With respect to the Data Subject there can be activities consisting in automated decision-making carried out, including profiling to provide services pursuant to the executed agreement and for the Data Controller to carry out direct marketing. They have no legal effects and are not based on any data belonging to any special category.
Right to complain
The Data Subject shall be entitled to complain to the supervisory body, i.e. the President of the Personal Data Protection Office if they believe their personal data is not processed compliant with the applicable law.
Mobile devices: