Privacy Policy

I. General provisions

Definitions of terms used herein:

1. Controller – GPD Agency spółka z ograniczoną odpowiedzialnością spółka komandytowa, with its registered office in Poznań at the following address: ul. Roosevelta 18, 60-829 Poznań, entered in the register of entrepreneurs of the National Court Register (KRS) kept by the District Court for Poznań-Nowe Miasto and Wilda in Poznań, 8th Commercial Division of the National Court Register, under KRS number 0000527454, business statistical identification number (REGON): 302860051, tax identification number (NIP): PL 7811902177;
2. Personal data – any information relating to an identified or identifiable natural person, in particular by reference to an identifier such as a name, an identification number (PESEL), location data, or an online identifier;
3. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
4. Website – an online platform available on www.gpd.com.pl;
5. User – any natural person visiting the Website or using at least one of the services provided thereon.

The Privacy Policy is a document governing the principles of the Users’ personal data collection, processing and protection in connection with the use of the Website.

The Controller’s primary objective is to protect the Users’ privacy and ensure compliance of the processing operations performed on the personal data collected in connection with the Users’ activity on the Website with applicable laws, including the GDPR.

II. Principles of personal data processing

1. The Controller shall process the personal data on the following grounds:
   1. Article 6 1b of the GDPR – the data shall be processed in connection with and for the purpose of the performance of the agreement (which includes all personal data provided to the Controller in connection with the agreement concluded that need to be processed for the purpose of such a performance, and covers the processing operations required to take actions requested by the data subject prior to the conclusion of such an agreement);
   2. Article 6 1c of the GDPR – for the purpose of compliance with the Controller’s legal obligation under applicable laws (e.g. accounting or tax laws);
   3. Article 6 1f of the GDPR – for purposes resulting from the legitimate interests pursued by the Controller and involving:
      • archiving of documents (also files concerning commercial relations) including, among others, portfolios, offers, inquiries, and email correspondence sent/received as part of the cooperation;
      • setting up and maintaining contractor databases, including photo shoot location databases;
      • exercising or defending claims;
      • performing quality analyses and maintaining statistics regarding the services provided and projects implemented;
      • and responding to the correspondence sent to the Controller.

   Pursuant to Article 6(1)(a) of the GDPR, in individual cases and upon a prior consent, the Controller may process personal data for purposes other than those listed above.

2. The Controller shall exercise due diligence to protect the interests of data subjects, and it shall, in particular, ensure that the personal data it collects are: processed in accordance with applicable laws; collected for specific and lawful purposes and not subjected to any further processing operations non-compliant therewith; and substantively correct and commensurate with the purposes of processing.
3. For some marketing-related purposes, the Controller may employ profiling techniques and automatic processing for the personal data collected with the use of cookies or other similar technologies (e.g. marketing tools provided by Google). The Controller’s actions (including profiling) are neither taken for the purpose of making any decisions regarding the User based on automated processing nor produce any legal effects concerning the User. More information about cookies may be found in Article VI and in Article VII: Analytical and marketing tools used by the Controller.
4. The Controller processes personal data of the Users who visit the Controller’s profiles on social media platforms (Facebook and Instagram) and undertake any activity thereon. The data are processed pursuant to the legitimate interests of the Controller and solely for marketing purposes (also relating to the promotion of the Controller’s brand, activity, services and products) and with a view to establishing and maintaining communication.

III. Rights of Users

1. Each User has the right to:
   1. access their personal data, i.e. to receive confirmation about whether or not the Controller processes the personal data, and the information about the scope of and the legal grounds for processing;
   2. rectify their personal data (where the data processed by the Controller are incorrect or incomplete);
   3. request the data to be erased;
   4. request the processing of their data to be restricted;
   5. data portability, i.e. the right to receive their personal data as provided to the Controller and to transmit those data to another controller, where the processing is based on the consent or agreement and carried out by automated means;
   6. object to the processing of their personal data for the purpose of the legitimate interest pursued by the Controller;
   7. object to the processing of their personal data for marketing purposes;
   8. withdraw the consent to the processing of their personal data, at any time, which shall not affect the lawfulness of processing based on consent before its withdrawal;
   9. and lodge a complaint with a relevant supervisory authority in Poland or any other EU Member State, particularly where the User believes that their personal data are processed in a manner violating the provisions of the GDPR (as of 25 May 2018, the supervisory authority in Poland is the President of the Personal Data Protection Office).
2. To exercise the above-listed rights, the User may submit their request:
   1. in writing (the request should be sent to the Controller’s address);
   2. or electronically (by an e-mail sent to: ochrona.danych@gpd.com.pl).
3. The request referred to in Item 2 above must be clear and, in particular, it needs to specify the right the User wishes to exercises as well as the purpose of processing and the category of the personal data it concerns. Where needed, the Controller may ask the User to supplement their request with more specific or additional data necessary to properly respond and comply with such a request.
4. The Controller shall advise the User of the measures implemented in relation to their request within a month of its receipt. Where required, the Controller shall advise the User of the necessity to extend the deadline for the response and state the grounds therefor.
5. The Controller shall send its response using the same means of communication via which it has received the User’s request. Where the request was made in writing, the Controller may respond via an e-mail (provided that the User requested so and provided the e-mail address).

IV. Data retention period:

1. personal data processed for the purpose of agreement conclusion or performance shall be retained throughout the term of the agreement and, upon its expiry, for a period necessary to provide clients with after-sales services or secure/exercise potential claims of or against the Controller;
2. personal data processed for the purpose of the fulfilment of the Controller’s legal obligation shall be retained until such an obligation is met;
3. personal data processed based on a consent shall be retained until the consent is withdrawn;
4. personal data processed for the purposes of the legitimate interests pursued by the Controller shall be retained until an objection to such processing has been made, unless the Controller proves that there are legitimate grounds for their processing that override the data subject’s interests, rights and freedoms, or grounds necessary for the establishment, exercise or defence of legal claims;
5. and personal data processed for marketing purposes shall be processed until an objection to such processing has been lodged.

Where a data subject objects to the processing of their personal data for marketing purposes, their data shall no longer be processed for such purposes.

V. Categories of data recipients

The Users’ personal data may be disclosed to the Controller’s employees, business partners, affiliates, debt collection companies, mail service providers, carriers, business partners providing technical services, providers of hosting services and IT systems, and contractors, or any other entities providing services to the Controller, its employees or business partners.

VI. Cookies and site data

1. The Website uses cookies, i.e. small text and numerical files created by the web server while the User is browsing a website, and saved in the User’s ICT system (on the PC, mobile phone or any other device through which the User enters the Website) that enable future identification of the User at the time they use the same device to enter the Website once again.
2. Cookies collect data concerning the User’s activity on the Website and their main purpose is to make it easier for the User to browse the Website, adapt the Website to the User’s needs and expectations (customisation of the Website’s tabs), analyse the traffic generated on the Website, and enable the Controller to carry out marketing activities.
3. The data collected with the above-mentioned technologies and for the above-listed purposes (including marketing purposes) may be used pursuant to the Controller’s legitimate interest and only if the User has consented to the use of cookies. The consent may be withdrawn at any time. The User may consent to the use of cookies by properly setting the browser. The User may also restrict or disable cookies in their browser, at any time, by choosing relevant settings that block cookies or warn the User before cookies are saved on the device from which they browse the Website.
4. The User may find on the Website links directing to other websites. Privacy and cookie policies applicable to such websites are beyond the Controller’s control. Before browsing other websites, all Users are recommended to read their privacy and cookie policies (where available) or if no such documents are provided – to contact the website administrator to obtain relevant information.
5. Cookie settings may vary depending on the User’s browser. The information about cookies may be found under each browser’s Help tab and on the following website: http://www.aboutcookies.org. Browser cookies – relevant privacy settings need to be selected from the browser’s options:

Google Chrome

Google Chrome’s default settings allow cookies to be stored. To change the settings:

• go to the ‘Google Chrome Settings’ menu and click ‘Settings’;
• click ‘Show advanced settings’ at the bottom of the page;
• click ‘Privacy’ and select the ‘Content settings’ option;
• select a required setting;
• to enable special settings for a given website, click ‘Manage exceptions’ and select your own website settings;
• to confirm the changes, click ‘Done’.

Microsoft Internet Explorer

Microsoft Internet Explorer’s default settings allow cookies to be stored but they block files that may originate from websites with no privacy policies. To change the settings:

• go to the ‘Tools’ menu and click ‘Internet options’;
• go to the ‘Privacy’ tab;
• using the slider, customise the security zone (the highest blocks cookies entirely, while the lowest allows all types of cookies to be stored);

OR:

• click ‘Advanced’ and select a required setting yourself;
• to enable special settings for a given website, click ‘Websites’ and select your own website settings;
• confirm by clicking on the ‘OK’ button.

Mozilla Firefox

Mozilla Firefox’s default settings allow cookies to be stored. To change the settings:

• go to the ‘Tools’ menu (in other versions: click on the ‘Firefox’ button) and select ‘Options’;
• then go to the ‘Privacy’ tab and select a required setting;
• to enable special settings for a given website, click ‘Exceptions’ and select your own website settings;
• confirm by clicking on the ‘OK’ button.

Opera

Opera’s default settings allow cookies to be stored. To change the settings:

• click ‘Preferences’, select the ‘Advanced’ option and then click ‘Cookies’;
• select a required setting;
• to enable special settings for a given website, go to the website, right-click and select the ‘Website preferences’ option, go to the ‘Cookies’ tab, and then enter the required settings.
• confirm by clicking on the ‘OK’ button.

Safari

Safari’s default settings allow cookies to be stored. To change the settings:

• go to the ‘Safari’ menu and select the ‘Preferences’ option;
• click ‘Privacy’;
• select a required setting;
• to enable special settings for a given website, click ‘Details’ and select your own website settings.

VII. Analytical and marketing tools used by the Controller

The Controller employs the following analytical and marketing methods and tools:

• GOOGLE ANALYTICS – files used by Google to analyse the Users’ activity on the Website (reports and statistics). The tool does not use the data to identify Users. More information about Google Analytics may be found on: https://www.google.com/intl/pl/policies/privacy/partners.
• GOOGLE ADS – this tool measures the effectiveness of the Controller’s advertising campaigns. It enables the analysis of keywords and the measurement of the unique reach. It also allows advertisements to be displayed for Users who have previously visited the Website. More information about Google Ads may be found on: https://policies.google.com/technologies/ads?hl=pl.
• FACEBOOK PIXELS – this tool allows the measurement of the effectiveness of advertising campaigns on Facebook and, as other Facebook tools, it facilitates an in-depth data analysis to optimise the Controller’s activities. More information about Facebook Pixels may be found on: https://pl-pl.facebook.com/help/443357099140264?helpref=about_content.
• SOCIAL MEDIA ADD-ONS – they allow Users to share the content published on the Website on selected social media platforms. When these add-ons are applied, a social media platform receives the information about the use of the Website and it may assign it to the User’s profile created on that social media platform. The Controller is not familiar with the purpose for which social media platforms collect the User’s data or with the scope of the data collected. More information about the service may be found on: https://www.facebook.com/policy.php.
• HOTJAR – this tool allows the User’s activity on the Website to be analysed with, for example, user satisfaction surveys or on-site click analytics. The tool does not enable User identification. More information about the data collected by HotJar and methods to disable User monitoring may be found on: https://www.hotjar.com/privacy.
• DOUBLECLICK – this tool measures the effectiveness of the Controller’s advertising campaigns (Google Ads campaigns) and enables the analysis of results.
• GOOGLE TAG MANAGER – this tool allows the User’s activity to be analysed by managing other analytical or marketing tools used by the Controller.

VIII. Final provisions

1. The Controller implements technical and organisational measures to ensure that the level of protection used for the personal data it processes is commensurate with the risk and appropriate for the categories of personal data under protection; in particular, the Controller secures the personal data against unauthorised access or removal, unlawful processing, alteration, loss, damage or destruction.
2. This Privacy Policy shall enter into force at the date it is published on the Website. The Controller may amend and, in particular, update, this Privacy Policy. All amendments to and updates of the Privacy Policy shall be published on the Website and be binding as of the date of their publication.

Contact

The Controller appointed the Data Protection Officer, who can be reached at ochrona.danych@gpd.com.pl.