PRIVACY AND COOKIE POLICY

This policy is addressed to the users of the http://www.phillips-europe.com/ website (“Website”) and the Controller’s contractors and customers.

The processing of personal data shall take place in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, “GDPR”).

The policy describes the rules of collecting and using the data of website users; the data is collected directly from the users or by means of cookies and similar technologies.

  1. THE CONTROLLER

The Controller of the data collected in connection with the use of the Website is:

  • Phillips Poland spółka z ograniczoną odpowiedzialnością with its registered seat in Chechło Pierwsze, ul. Zwycięstwa 32, 95-082 Chechło Pierwsze, entered into the Register of Entrepreneurs kept by the District Court for Łódź-Śródmieście in Łódź, 20th Commercial Department of the National Court Register (KRS) under KRS number: 654066, NIP (Tax Identification Number): 701-064-47-54, REGON (Registration Number) 366145172, with equity capital in the amount of PLN 1,786,750 (“The Controller”);

  • Phone: + 48 42 215 34 34;

  • E-mail address: sekretariat@phillips-europe.com;

In all matters related to the processing of the Website users’ data by the Controller, you may contact us, using the contact details provided above.

  1. LEGAL BASIS, PURPOSES OF DATA PROCESSING AND RETENTION PERIOD FOR PERSONAL DATA
  1. Personal data are processed by the Controller when:

  • the data subject gave their consent for the processing of their personal data for one or more specified purposes (Article 6(1)(a) of the GDPR);

  • the data processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract (Article (6)(1)(b) of the GDPR);

  • processing is necessary for the purposes of legitimate interests pursued by the Controller or by a third party, except in situations when the interests or fundamental rights and freedoms of the data subject (requiring the protection of personal data) take precedence (Article 6(1)(f) of the GDPR).

  1. The data of the Website visitors can be processed for the following purposes:

  • network traffic analysis, ensuring security within the Website and adjusting the content to the needs of users on the basis of a legally justified interest of the Controller (Article 6(1)(f) of the GDPR).

  • answering the questions, submitting an offer that has been ordered and conducting correspondence in order to settle some matters – on the basis of the user’s consent and the Controller’s legitimate interest, i.e. fulfilling the users’ requests (Article 6(1)(a) and (f) of the GDPR).

  1. The Controller may place marketing information about his products or services on the Website. These content shall be displayed by the Controller in accordance with Article 6(1)(f) of the GDPR, in accordance with the Controller’s legitimate interest consisting in the publication of contents related to the services provided and the promotional contents of the actions in which the Controller is involved. At the same time, such an action does not violate the rights and freedoms of the users; the users expect to receive such content and sometimes even count on it or it is their direct purpose for visiting the Website.

  2. Personal data shall be stored until the consent is withdrawn, the issue that required storage of personal data is resolved or for the period necessary to achieve the purpose for which the data was obtained on a specific legal basis, and then until the expiry of the statute of limitations for the parties’ claims related to the execution of the purpose.

  3. E-MAIL CORRESPONDENCE

    1. The Controller processes contact details of e-mail correspondence senders and addressees, contained in the content of this correspondence, for the following purposes:

  • enabling the senders and addressees to contact the Controller via e-mail and enabling the Controller to contact the addressees;

  • documenting arrangements made with customers, contractors or other persons;

  • receiving letters, applications and requests – e.g. charges, complaints, other requests – in an electronic form;

  • protection against claims and pursuit of claims (if there are any).

    1. The legal basis for processing the data contained in the e-mail correspondence is:

  • legally justified interest of the Controller and senders of electronic messages (Article 6(1)(f) of the GDPR) – in relation to incidental correspondence, consisting in enabling electronic contact with the Controller;

  • the necessity of data processing for the purpose of performing a contract with customers or contractors (Article 6(1)(b) of the GDPR) with regards to the correspondence conducted in order to carry out the contract;

  • voluntary consent – if special categories of data feature in the correspondence sent. If the sender has not included their consent in the correspondence, they shall be asked to provide a separate consent, as this is a prerequisite for the processing of special categories of data in accordance with the GDPR. Consent may be withdrawn at any time, without the need to provide any reason for it, but without affecting the lawfulness of data processing before the consent was withdrawn;

  • a voluntary consent granted by means of an explicit confirmatory action – if the sender of the message requests the provision of some information concerning the Controller’s brand, their products or services, the answer given to the sender will contain the requested information; the fact of sending an inquiry will mean granting consent for the Controller to send the sender commercial information to the e-mail address provided by the sender, to the extent necessary to provide an answer (Article 10 of the Act on Providing Services by Electronic Means); the consent may be withdrawn at any moment without the need to provide any reason, but commercial information sent after the inquiry has been sent, and before the withdrawal of consent, will be sent in accordance with the law; withdrawal of consent may prevent a full answer to the question asked;

  • the Controller’s legitimate interest in pursuing or defending their claims in accordance with the applicable provisions of law, in particular the Civil Code (Articles 6(1)(f) and 9(2)(f) of the GDPR).

  1. CONTACT FORM

    1. The content of correspondence and contact information is processed for the time necessary to handle the case related to the user, including to send marketing information about products or services selected by the user.

    2. This data will then be processed for the purpose of providing (electronically) the contact form service, in accordance with the rules and regulations available <here – link to the rules and regulations applicable to the contact form service> (Article 6(1)(b) of the GDPR).

    3. As far as sending of commercial information by electronic means or direct marketing via telephone terminal devices is concerned, the data will be processed on the basis of a consent given by means of an explicit confirmatory action (Article 6(1)(a) in conjunction with Article 4(11) of the GDRP), consisting in completing the relevant box intended for entering the e-mail address or telephone number and clicking on the box “I agree”.

    4. Pursuit of claims

  • If it is necessary for the Controller to pursue claims or defend themselves against claims, the Controller may process the personal data of specific users included in the online contact form until the end of the pending proceedings and until the expiry of the statute of limitations for the Controller’s claims against the user – which is usually three years, pursuant to Article 118 of the Civil Code, but may be longer in specific cases provided for in law.

  • This data will then be processed in accordance with Article 6(1)(f) of the GDRP, i.e. for the purpose of pursuing a legitimate interest by the Controller, consisting in pursuing their claims against the user or defending themselves against such claims. The legitimate interest of the Controller shall then take precedence over the rights and freedoms of the service recipient.

  1. RIGHTS OF DATA SUBJECTS
  1. Every data subject is entitled to:

    1. HAVE ACCESS TO THEIR DATA (Article 15 of the GDPR) – the right to obtain confirmation from the Controller whether or not their personal data is being processed. If the personal data is indeed processed, the person shall be entitled to access it and to obtain the following information:

  • the purpose of data processing;

  • categories of personal data;

  • the recipients or categories of recipients to whom the data have been or will be disclosed, in particular those from third countries or international organisations;

  • the data retention period or the criteria on the basis of which it is determined;

  • the right to request the rectification, erasure or restriction of the processing of personal data to which the data subject is entitled and to object to the processing;

    1. RECEIVE A COPY OF DATA – the right to obtain a copy of the data that is being processed; the first copy shall be made available by the Controller free of charge, and for the subsequent copies they may impose a reasonable fee resulting from administrative costs (Article 15(3) of the GDPR);

    2. RECITFY THE DATA – the right to request the rectification of personal data concerning the subject data which are inaccurate or the right to fill in the data that is incomplete (Article 16 of the GDPR);

    3. ERASE THE DATA the right to request erasure of their personal data if the Controller no longer has a legal basis for processing of the data or if the data is no longer necessary for the purposes of processing (Article 17 of the GDPR). The Controller is obliged to erase the personal data without undue delay if one of the following circumstances occurs:

  • the data is no longer necessary for the purpose for which it was collected or is processed,

  • the person has withdrawn their consent to the processing of their personal data and there is no legal basis for continuing the processing anyway,

  • the person objects to the processing and there are is no overriding legal basis for processing, or

  • the person objects to the processing of their personal data for the purposes and within the scope of direct marketing (including profiling);

  • processing in any other way is not or was not in accordance with the GDPR or other legal regulations;

  • personal data was collected in relation to offering information society services directly to people younger than 16;

    1. RESTRICT THE PROCESSING – the right to request a restriction of the processing of personal data (Article 18 of the GDPR), if:

  • the data subject questions the accuracy of the personal data – for the period allowing the Controller to check the accuracy of the data,

  • the processing is unlawful and the data subject objects against erasure of the data by demanding the processing to be restricted,

  • The Controller no longer needs these data, but it is needed by the data subject to lodge, pursue or defend claims,

  • the data subject has objected to the processing – until it has been determined whether the legitimate basis on the part of the Controller take precedence over the grounds for the data subject’s objection;

    1. TRANSFER THE DATA – the right to receive the personal data concerning the data subject provided to the Controller in a structured, commonly used machine-readable format and to request that this data be sent to another Controller, if it is processed on the basis of the data subject’s consent or an agreement concluded with them and if the data is processed in an automated manner (Article 20 of the GDPR);

    2. OBJECT TO THE PROCESSING OF DATA – the right to object to the processing of their personal data for the Controller’s legitimate purposes, for reasons related to the data subject being in particular situation, including the right to object against profiling. In such situations the Controller shall assess whether or not there is an important legitimate basis for processing overriding the interests, rights and freedoms of data subjects or grounds for lodging, pursuing or defending claims. If, according to the assessment, the interests of the data subject take precedence over the interests of the Controller, the Controller shall be obliged to cease the processing of the data for the purpose of pursuing their own interests (Article 21 of the GDPR);

    3. WITHDRAW THEIR CONSENT – the right to withdraw their consent at any moment and without the need to provide a reason; however, the processing of personal data that took place before the withdrawal of consent still shall be considered as lawful. Withdrawal of consent shall result in the Controller’s ceasing to process personal data for the purpose for which the consent was given.

  1. In order to exercise the aforementioned rights, the data subject should contact the Controller (using the contact details provided) and inform them which right they want to exercise and to what extent.

  1. THE PRESIDENT OF THE OFFICE FOR THE PROTECTION OF PERSONAL DATA

The data subject has the right to lodge a complaint with the supervisory authority; in Poland it is the President of the Office for the Protection of Personal Data, with its registered seat in Warsaw, ul. Stawki 2. The Office can be contacted by the following means:

  • by post: ul. Stawki 2, 00-193 Warsaw;

  • via electronic mailbox available at: https://www.uodo.gov.pl/pl/p/kontakt;

  • by phone: (22) 531 03 00.

  1. RECIPIENTS OF THE DATA OF THE DATA SUBJECTS

The Controller shall disclose the users’ personal data only to the processing entities and under the concluded contracts of personal data processing entrustment for the purpose of providing services to the Controller, e.g. hosting and handling of the Website, IT services, analytical services, marketing and PR services, legal and advisory services.

  1. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES

Some of the partners or service providers, such as the companies Google or Facebook, are based in or have servers outside the European Economic Area (EEA). In such cases, they must guarantee a high level of personal data protection. These guarantees may in particular result from an obligation to apply the standard contractual clauses adopted by the Commission (EU) or to participate in the Privacy Shield programme established by Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S., Privacy Shield.

  1.  USE OF COOKIES AND SIMILAR TECHNOLOGIES
  1. The Website allows for collecting information about the user by means of cookies and similar technologies, the use of which most often involves installing one of the above-mentioned tools on the user’s device (computer, smartphone, etc.). This information is used to store the information regarding the user’s decisions (font selection, contrast, whether or not the policy has been accepted), collect information about the user’s device and about their visit on the Website in order to ensure security, but also to analyse the visits and adjust the content.

  2. The Website uses “session” cookies, which are temporarily stored on the user’s device until they log out, leave the Website or close the browser, as well as “permanent” cookies, which are stored on the user’s device in accordance with the parameters specified in the file itself or until the user removes them. Cookies are divided into the following types:

  • strictly necessary cookies – these are cookies that are essential for the user to browse the Website and to optimise its performance;

  • secure cookies – these are cookies that are needed to ensure security, e.g. to support mechanisms preventing abuse of their rights by the Website users etc.

  • functional cookies – these are cookies that store data concerning the Website user’s preferences, such as font size, region or language, in order to enhance the user’s experience on the Website;

  • analytical cookies – these are cookies that collect information about how the users use the Website and information concerning the traffic on the Website for the purpose of improving its operation;

  • advertising cookies – these are cookies that allow the Website to provide the user with advertising content tailored to their interests.

The Website uses strictly necessary cookies and functional cookies.

  1. The user can set their browser to block certain types of cookies and other technologies by, for example, specifying that only those that are necessary for the correct display of the website will be allowed. By default, most browsers allow the use of all cookies, but the user can change these settings at any time; they can also delete cookies already installed. This can be done by selecting one of the options available in the browser settings of option preferences.

  2. The user can also use the website in the so-called incognito mode, which blocks the possibility of collecting data about his visit.

  3. If the user uses the Website without changing the settings of their browser, i.e. accepting cookies and similar technologies, means that they agree to the use of such technologies for the purposes specified above.

  4. External components (the so-called plug-ins) belonging to the following entities are also integrated into the Website:

  • Youtube

The operator of YouTube is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA. In the European Economic Area and Switzerland, the controller of personal data is Google Ireland Limited Gordon House, Barrow Street; Dublin 4, Ireland. YouTube data protection policy https://www.google.com/intl/pl/policies/privacy/
  • LinkedIn

The operator for non-U.S. users is LinkedIn Ireland, Wilton Plaza, Wilton Place, Dublin 2, Ireland. The LinkedIn privacy policy is available at www.linkedin.com/legal/privacy-policy
  • Facebook

Facebook is owned by Facebook, Inc., 1 Hacker Way, Menlo Park, CA 94025, USA.. For users outside the United States or Canada, the Controller of personal data provided to Facebook is Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland. Facebook data protection policy https://facebook.com/about/privacy/
  • Google Analytics and Google Ads

In the European Economic Area and Switzerland, the controller of personal data is Google Ireland Limited Gordon House, Barrow Street; Dublin 4, Ireland. Google privacy policy: https://policies.google.com/privacy?gl=PL&hl=pl
  1. AMENDMENTS TO THE PRIVACY POLICY

1. The Privacy Policy may be supplemented or updated according to the Controller’s current needs, in order to provide users with up-to-date and reliable information about their personal data and information concerning the users themselves. The users shall be notified of any changes to the privacy policy on the Website.

2. This Privacy Policy is valid as of July 15, 2020.