PRIVACY POLICY MUVE S.A.

PRIVACY POLICY

MUVE S.A.

                                                                           

On the basis of what legal provisions are or may be processed your personal data?

Important terms.

Who does this Privacy Policy apply to?

Who is the Controller?

Contact details to the Controller.

Data Protection Officer.

For what purposes is or can your personal data be processed?

Disclosure of personal data by the Controller.

How long will personal data be processed in accordance with the storage limitation principle (personal data retention)?

What are the rights of the data subject?

Who is the supervisory authority?

Under what circumstances is the provision of personal data a statutory or contractual requirement or a requirement necessary to enter into a contract?

In Information on automated decision making, including profiling.

What is the source of the data?

What scope of personal data is processed?

How do we secure personal data?

Processing of personal data using social media.

Joint controllership.

Processing of personal data based on the consent.

Personal data breach notifications.


On the basis of what legal provisions are or may be processed your personal data?

The rules on the protection of personal data (hereinafter referred to as the GDPR ) are set out, inter alia, in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016[1], on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), the Act of 10 May 2018[2] on the Protection of Personal Data  and in country related special acts (lex specialis).

Important terms

  1. "Controller" - means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law,
  2. Joint controllership” – means that two ore more Controllers jointly determine the purposes and means of processing,
  3. "Personal data" - means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is a person who can be directly or indirectly identified, in particular on the basis of an identifier such as name and surname, identification number, location data, internet identifier or one or more specific physical, physiological, genetic, mental factors, economic, cultural or social identity of a natural person,
  4. "Processing" - means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction,
  5. "Recipient" - means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing,
  6. "Processor" - means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller,
  7. "Third country" - an entity outside the EEA (European Economic Area) to which personal data is disclosed,
  8. “Term of use” – ‘Regulamin” - Regulations of the Website www.muve.pl (hereinafter MUVE) available at the link: https://muve.pl/zobacz-takze/regulamin,
  9. "Privacy Policy" - this document, presenting information on the principles of personal data processing in accordance with the substantive scope indicated in art. art. 13 GDPR - information clause regarding the processing of personal data,

10.   "Cookies Policy" - information on the use of cookies on the website run by the Controller. The Cookie Policy is available on the Controller's website,

Who does this Privacy Policy apply to?

This Privacy Policy (hereinafter referred to as PP) applies to the processing of personal data of natural persons, natural persons conducting sole proprietorship and persons acting on behalf of legal persons, i.e. persons appointed to represent a legal person, proxies, employees and / or associates acting on behalf of a legal person.

Who is the Controller?

According to Art. 13 GDPR[3], i.e., the right to be informed, we would like to inform you that the Controller is MUVE Spółka Akcyjna with its registered office in Warsaw at ul. Krakowiaków No. 36, 02 - 255 Warsaw, entered in the Register of Entrepreneurs of the National Court Register kept by the District Court for the Capital City of Warsaw in Warsaw, XIII Commercial Division of the National Court Register under the KRS (Register No.) number 0000440351, NIP (Tax No.) number: 522-300-13-12, hereinafter referred to as "MUVE".

Contact details to the Controller

Inquiries regarding the protection of personal data should be sent via the contact form available on the website and available at the following link: https://muve.pl/pomoc/kontakt  or via the hotline at +48 22 574 25 90 (please be advised that the helpline is open from Monday to Friday from 10:00 a.m. to 4:00 p.m.), to the dedicated e-mail address: [email protected]  or by traditional mail to the above-mentioned correspondence address.

Data Protection Officer

Please be advised that the Controller has not appointed a Data Protection Officer.

For what purposes is or can your personal data be processed?

Personal data is or may be processed for the following purposes:

  1. NDA - personal data processed in connection with the preparation, conclusion and implementation of the provisions of a confidentiality agreement (NDA). The legal basis (lawfulness) for the processing of personal data is: a) in the case of natural persons: art. 6 (1) b), f) GDPR; b) in the case of legal persons: Art. 6 (1) lit. f) GDPR. Please be advised that in the case of processing personal data of natural persons and natural persons representing or acting on behalf of a legal person, the legitimate interest pursued by the Controller is considered to be: a) processing for the purpose of preparing, concluding and implementing the provisions of a confidentiality agreement (NDA) ; b) processing for purposes related to the investigation between the parties to the contract of claims arising from the performance of the provisions of the contract (NDA) - if applicable - the legitimate interest pursued by the Controller is the processing of personal data for the purpose of seeking claims for the implementation of the provisions of the contract (NDA); c) processing for internal management purposes - the legitimate interest pursued by the Controller is the control and archiving of documentation in connection with the conclusion of the contract,
  2. Agreement - personal data processed in connection with the preparation, conclusion and implementation of the provisions of the agreement. The legal basis for the processing of personal data is: a) in the case of natural persons: art. 6 (1) lit. b), f) GDPR; b) in the case of legal persons: Art. 6 (1) lit. f) GDPR. Please be advised that in the case of processing personal data of natural persons, natural persons representing or acting on behalf of a legal person, the legitimate interest pursued by the Controller is considered to be: a) processing for the purpose of preparing, concluding and implementing the provisions of the contract; b) processing for the purpose of financial settlements - activities related to the monitoring and payment of payments; c) processing for purposes related to the investigation between the parties to the contract of claims arising from the performance of the provisions of the contract - if applicable - the legitimate interest pursued by the Controller is the processing of personal data for the purpose of seeking claims for the implementation of the provisions of the contract; d) processing for internal management purposes - the legitimate interest pursued by the Controller is the exercise of control and archiving of documentation in connection with the conclusion of the contract,
  3. Personal data processed in order to prepare and present an offer with regard to own products and services. The legal basis for the processing of personal data is: a) art. 6 (1) lit. a) GDPR - consent of the data subject; b) art. 6 (1) lit. f) GDPR - legitimate interest pursued by the Controller. A legally legitimate interest is considered to be a binding relationship, including a business relationship, an ongoing contract with the data subject and data processing for internal administrative purposes, also in relation to the exercise of the rights of data subjects in connection with the possibility of exercising the rights of persons to whom data concern and provided for by law (e.g. documenting withdrawal of granted consent),
  4. In order to register in the Store in accordance with the provisions of the Regulations (https://muve.pl/zobacz-takze/regulamin) - personal data in the field of e-mail address. The legal basis for the processing of personal data is Art. 6 (1) lit. b) GDPR - processing is necessary to implement the provisions of the Regulations. In the case of registration using the User's account on the Facebook MUVE social network, we would like to inform you that only data is collected via Facebook to the extent necessary to register and use the Account,
  5. In order to implement the provisions in connection with the conclusion and implementation of the provisions of the contract in the form of the Regulations (https://muve.pl/zobacz-takze/regulamin). The legal basis for the processing of personal data is Art. 6 (1) lit. b) GDPR - processing is necessary to implement the provisions of the Regulations,
  6. In order to log into a dedicated account - personal data in the field of e-mail address. The legal basis for the processing of personal data is Art. 6 (1) lit. b) GDPR - processing is necessary to implement the provisions of the Regulations,
  7.  In order to fulfill the order and ship the ordered product - personal data in the scope of name, surname, address for delivery (street, house number, apartment number, zip code, city, country), order collection point - the legal basis for data processing personal data is Art. 6 (1) lit. b) GDPR - processing is necessary to implement the provisions of the Regulations,
  8. In order to make and monitor payments in connection with the order placed - personal data in the field of name, surname, order number, bank account number, bank name, credit card number, transaction number, voucher number, vouchers or discount code - the legal basis for processing personal data art. 6 (1) lit. b) GDPR - processing is necessary to implement the provisions of the Regulations and art. 6 (1) lit. c) GDPR - processing is necessary for the Controller to fulfil the obligation resulting from legal provisions in connection with making a payment as a result of the order placed,
  9. In order to issue and send, in an electronic version to the indicated e-mail address or in a paper version to the indicated correspondence address, proof of purchase (receipt, VAT invoice) - personal data in the scope of name, surname, company name, company address, shipping address, tax identification number - legal basis for the processing of personal data - art. 6 (1) lit. b) GDPR - processing is necessary to implement the provisions of the Regulations and art. 6 (1) lit. c) GDPR - processing is necessary for the Controller to fulfil the obligation resulting from legal provisions in connection with making a payment as a result of the order placed,
  10. In order to consider the warranty or complaint in accordance with the Regulations - personal data in the field of name, surname, e-mail, telephone number - the legal basis for the processing of personal data - art. 6 (1) lit. b) GDPR - processing is necessary to implement the provisions of the Regulations and art. 6 (1) lit. c) GDPR - processing is necessary for the Controller to fulfil the obligation resulting from legal provisions in connection with the execution of the order,
  11. In order to answer the questions (incoming correspondence) - personal data processed via the form available on the MUVE website or electronically in the form of a voice connection - personal data in the field of name, surname, e-mail - the legal basis for the processing of personal data is art. 6 (1) lit. b) GDPR - the processing of personal data is necessary in connection with the implementation of the provisions resulting from the Regulations or art. 6 (1) lit. f) GDPR - the legitimate interest of the Controller, consisting in answering the questions asked before concluding the contract in the form of Regulations,
  12. In order to send commercial information[4] (e.g. in the form of a Newsletter) by electronic means or direct marketing[5] by phone in relation to own products and services - personal data in the scope of e-mail address, telephone number. The legal basis for the processing of personal data is Art. 6 (1) lit. a) GDPR - consent of the data subject or art. 6 (1) lit. f) GDPR, i.e. the legitimate interests pursued by the Controller. The legally justified interest of the Controller is considered to be a binding contract concluded in the form of the Regulations and an ongoing business relationship. We would like to inform you about the right to withdraw the consent granted or to object to the processing at any time, without affecting the implementation of the provisions resulting from the Regulations,
  13. In connection with the online forum run by the Controller, available at: https://forum.muve.pl/ - personal data in the field of nickname, pseudonym, name, surname, login, password, image in the form of a photo, avatar (avatar ), information provided in the comments - the legal basis for the processing of personal data is art. 6 (1) lit. b) GDPR - the processing of personal data is necessary in connection with the implementation of the provisions of the Regulations and art. 6 (1) lit. a) GDPR - consent of the data subject, expressed by placing an image in the form of a photo on his profile on an online forum. Please be advised that placing personal data in the form of a photo is voluntary and fully at the discretion of the user of the online forum,
  14. In order to conduct a User satisfaction survey in the form of a satisfaction survey in an electronic form or via direct contact (by phone - voice call) in relation to the offered products, services, implementation of the provisions of the Regulations - personal data in the field of e-mail or telephone number - the basis the legal processing of personal data is Art. 6 (1) lit. a) GDPR - consent of the data subject or art. 6 (1) lit. f) GDPR - the legitimate interest of the Controller is as a binding contract or business relationship with the User. Please be advised that in the case of consent, the right to withdraw it at any time, without affecting other provisions resulting from the Regulations. In the case of the legitimate interest of the Controller, we would like to inform you about the right to object to such processing at any time without affecting other provisions resulting from the Regulations,
  15. In order to implement the loyalty programs proposed by the Controller - then information on the processing of personal data will be available in dedicated records related to the implementation of loyalty programs,
  16. For other purposes, while the content of Art. 12 and art. 13 GDPR will then be presented individually for the respective processing purpose.

Disclosure of personal data by the Controller

Please be advised that personal data may be:

  1. Disclosed to public and state authorities under the currently applicable provisions of law (e.g. the Tax Office, the Court, Police, or other public authorities / entities),
  2. Disclosure of personal data to data recipients cooperating with the Controller in order to implement the provisions of the Regulations:

a)      InPost parcel lockers (https://inpost.pl/),

b)      DPD courier (https://www.dpd.com/pl/pl/),

c)       Paczka w Ruchu (https://www.paczkawruchu.pl/),

d)     UPS courier (https://www.ups.com/pl/pl/Home.page),

e)      Polish Post (https://www.poczta-polska.pl/),

f)       Paysafecard (https://www.paysafecard.com/pl-pl/),

g)      PayU S.A. (https://poland.payu.com/),

h)      Bank (financial institution) of the Controller,

Please be advised that the above-mentioned entities to which personal data are disclosed may change. The current list of entities is available at each request of the data subject.

  1. Please be advised that personal data may be or are entrusted for processing pursuant to art. 28 GDPR (the data controller entrusted the processing of personal data - processor, processor). The Controller undertakes cooperation only with entities that meet the requirements set out in the GDPR and have implemented technical and organizational measures to secure the entrusted personal data. The categories of recipients are or may be entities providing services in the area of ​​IT, accounting, tax settlements, and legal services. The list of entities to which personal data is disclosed is available at the request of the data subject.

Transferring personal data to a third country (i.e. outside the EEA)

  1. Please be advised that personal data may be transferred to a third country, i.e. outside the EEA. In the event of transferring personal data outside the European Economic Area, such transfer may only take place on the terms set out in Chapter V of the GDPR:

1)      pursuant to art. 45 GDPR - transfer based on an adequacy decision,

2)      pursuant to art. 46 GDPR - transfer subject to appropriate safeguards, including the use of standard data protection clauses adopted by the European Commission,

  1. We hereby inform that the transfer of personal data outside the EEA may involve the risk of not ensuring sufficient security of personal data. In the event of a risk related to the transfer of personal data outside the EEA, the Controller provides such information in this Privacy Policy,
  2. Please be advised that the list of entities outside the EEA to which the Controller discloses personal data is available at the request of the data subject,
  3. List of entities that may transfer personal data outside the EEA, which may not provide sufficient protection of personal data provided for in the GDPR:

No.

The name of the entity

Link to information

The risk related to the transfer of data outside the EEA and the negative effects that may arise for the data subject

Facebook

https://www.facebook.com/legal/terms

1) unauthorized access to data,

2) loss of control over your data,

3) no possibility of exercising the rights under the GDPR,

4) other, negative effects indicated in recital (75) of the preamble to the GDPR: material and non-material effects,

LinkedIn

https://www.linkedin.com/legal/user-agreement

1) unauthorized access to data,

2) loss of control over your data,

3) no possibility of exercising the rights under the GDPR,

4) other, negative effects indicated in recital (75) of the preamble to the GDPR: material and non-material effects,

Twitter

https://twitter.com/en/tos#intlTerms

1) unauthorized access to data,

2) loss of control over your data,

3) no possibility of exercising the rights under the GDPR,

4) other, negative effects indicated in recital (75) of the preamble to the GDPR: material and non-material effects,

YouTube

https://www.youtube.com/t/terms

1) unauthorized access to data,

2) loss of control over your data,

3) no possibility of exercising the rights under the GDPR,

4) other, negative effects indicated in recital (75) of the preamble to the GDPR: material and non-material effects,

Google

https://policies.google.com/terms?hl=en&gl=be

1) unauthorized access to data,

2) loss of control over your data,

3) no possibility of exercising the rights under the GDPR,

4) other, negative effects indicated in recital (75) of the preamble to the GDPR: material and non-material effects,

Google Maps

https://www.google.com/intl/en_be/help/terms_maps/

1) unauthorized access to data,

2) loss of control over your data,

3) no possibility of exercising the rights under the GDPR,

4) other, negative effects indicated in recital (75) of the preamble to the GDPR: material and non-material effects,

How long will personal data be processed in accordance with the storage limitation principle (personal data retention)?

Please be advised that personal data are or may be processed for the period of:

  1. NDA - personal data processed in connection with the preparation, conclusion and implementation of the provisions of a confidentiality agreement (NDA) - a) in order to prepare, conclude and implement the provisions of a confidentiality agreement (NDA) - during the preparation, conclusion and time the duration of the contract - for an indefinite period or until the contract is terminated or until you object to the processing; b) for the purposes related to the investigation between the parties to the contract of claims arising from the performance of the provisions of the contract (NDA) - if applicable - for the duration of the claims in accordance with applicable law and for the period of their investigation - if applicable; c) for internal management purposes - controlling and archiving documentation in connection with the conclusion of the contract - for a period of 10 years from the date of the contract, which may be changed,
  2. Agreement - personal data processed in connection with the preparation, conclusion and implementation of the provisions of the contract) - a) in order to prepare, conclude and implement the provisions of the contract - for the duration of the preparation, conclusion and duration of the contract - for an indefinite period or until the contract is terminated or until you object to the processing; b) in order to make financial settlements - for a minimum period of 6 years from the end of the financial year; c) for purposes related to the investigation of claims between the parties to the contract for the performance of the provisions of the contract - if applicable - for the duration of the claims in accordance with applicable law and for the period of their investigation - if applicable; d) for internal management purposes - controlling and archiving documentation in connection with the conclusion of the contract - for a period of 10 years from the date of the contract, which may be changed,
  3. Personal data processed in order to prepare and present an offer with regard to own products and services -   until the consent is withdrawn, until an objection to the processing is submitted, for an indefinite period,
  4. In order to register in the Store in accordance with the provisions of the Regulations (https://muve.pl/zobacz-takze/regulamin) - for an indefinite period or until withdrawal from the contract under the conditions specified in the Regulations. It is expected that this period will be 6 years from the withdrawal from the contract, but it may be changed,
  5. In order to implement the provisions in connection with the conclusion and implementation of the provisions of the contract in the form of the Regulations (https://muve.pl/zobacz-takze/regulamin - for an indefinite period or until withdrawal from the contract under the conditions specified in the Regulations. that this period is 6 years from the withdrawal from the contract, but it may be changed,
  6. In order to log in to a dedicated account - for an indefinite period or until withdrawal from the contract under the conditions specified in the Regulations. It is expected that this period will be 6 years from the withdrawal from the contract, but it may be changed,
  7. In order to fulfill the order and ship the ordered product - until the withdrawal from the contract under the conditions specified in the Regulations. It is expected that this period is 6 years from the withdrawal from the contract or 6 years from the completion of the order, but it may be changed,
  8. In order to make and monitor payments in connection with the order placed - until the withdrawal from the contract under the conditions specified in the Regulations. It is expected that this period is 6 years from the withdrawal from the contract, but it may be changed,
  9. In order to issue and send in an electronic version to the indicated e-mail address or in a paper version to the indicated correspondence address, proof of purchase (receipt, VAT invoice) - until the withdrawal from the contract under the conditions specified in the Regulations. It is expected that this period is 6 from the withdrawal from the contract or issuing the last proof of sale, but it may be changed,
  10. In order to consider the warranty or complaint in accordance with - it is expected that this period will be 10 years from the submission of the warranty or guarantee on the terms provided for in the regulations, but it may be changed,
  11. In order to answer the questions received (correspondence) - this period is expected to be 5 years from the date of receipt of the last correspondence, but this period may be changed,
  12. In order to send commercial information (e.g. in the form of a Newsletter) by electronic means or direct marketing by phone in relation to own products and services - for an indefinite period or until the consent is withdrawn or objections to such processing are raised,
  13. In connection with the online forum run by the Controller, available at: https://forum.muve.pl/ - for an indefinite period or until the account is deleted or for a period of 6 years from the moment of withdrawal from the contract,
  14. In order to conduct a User satisfaction survey in the form of a satisfaction survey - for an indefinite period or until the consent is withdrawn or until an objection to such processing is raised,
  15. In order to implement the loyalty programs proposed by the Controller - then information on the period of personal data processing will be available in dedicated records related to the implementation of loyalty programs,
  16. For other purposes, while the content of Art. 12 and art. 13 GDPR, including the period of personal data processing, will then be presented individually for the given purpose of processing.

What are the rights of the data subject?

The information is provided about the right to request the Controller to access personal data concerning the data subject, rectify it, delete it or limit processing, or about the right to object to the processing, as well as the right to transfer data. Please be advised that due to the individual purposes of processing, interchangeably in this Privacy Policy and indicated in the Regulations, the exercise of the rights of data subjects may be limited.

Who is the supervisory authority?

We would like to inform you about the right to lodge a complaint with the supervisory body, i.e. the President of the Personal Data Protection Office (PUODO) with its seat at ul. Stawki 2 in Warsaw, https://uodo.gov.pl/pl, https://uodo.gov.pl/pl/83/155. In the case of joint controllership with Facebook Irland Limited, we would like to inform you that the supervisory body is Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland (as amended): https://www.dataprotection.ie/.

Under what circumstances is the provision of personal data a statutory or contractual requirement or a requirement necessary to enter into a contract?

Please be advised that providing personal data is:

  1. NDA - personal data processed in connection with the preparation, conclusion and implementation of the provisions of the confidentiality agreement (NDA) - a) processing of personal data for the purpose of preparing, concluding and implementing the provisions of the confidentiality agreement (NDA) - providing personal data is contractual, and failure to provide personal data will result in the inability to prepare, conclude and implement the provisions of the contract; b) processing of personal data for purposes related to the investigation of claims between the parties to the contract for the performance of the provisions of the contract (NDA) - is voluntary, and failure to provide personal data will result in the inability to pursue claims,
  2. Agreement- personal data processed in connection with the preparation, conclusion and implementation of the provisions of the contract) - a) processing of personal data for the purpose of preparing, concluding and implementing the provisions of the contract - providing personal data is contractual, and failure to provide personal data will result in the inability to prepare , conclusion and implementation of the provisions of the contract; b) in the case of financial settlements, it is of a statutory nature and failure to provide personal data will result in the inability to meet the obligations arising from the applicable law on the Controller; c) processing of personal data for purposes related to the investigation of claims between the parties to the contract for the performance of the provisions of the contract - it is voluntary, and failure to provide personal data will result in the inability to pursue claims,
  3. Personal data processed in order to prepare and present an offer in relation to own products and own services - is voluntary, but failure to provide personal data will result in the inability to prepare and send the offer,
  4. In order to register in the Store in accordance with the provisions of the Regulations (https://muve.pl/zobacz-takze/regulamin) - providing personal data is contractual, and failure to do so will result in the inability to register in the Store in accordance with the provisions of the Regulations,
  5. In order to implement the provisions in connection with the conclusion and implementation of the provisions of the contract concluded in the form of the Regulations (https://muve.pl/zobacz-takze/regulamin) - providing personal data is contractual, and failure to do so will result in the inability to conclude and implementation of the provisions of the Regulations,
  6. In order to log into a dedicated account - providing personal data is of a contractual nature, and failure to provide them will result in the inability to log into the dedicated account and implement the provisions of the Regulations,
  7. In order to complete the order and ship the ordered product - providing personal data is contractual, and failure to provide it will result in the inability to complete the order in accordance with the provisions of the Regulations,
  8. In order to make and monitor payments in connection with the order placed - providing personal data is of a contractual nature, and failure to provide them will result in the inability to monitor payments and implement the provisions of the Regulations,
  9. In order to issue and send, in an electronic version to the indicated e-mail address or in a paper version to the indicated correspondence address, proof of purchase (receipt, VAT invoice) - providing personal data is contractual, and failure to do so will result in the inability to sending proof of purchase and implementing the provisions resulting from the Regulations,
  10. In order to consider the warranty or complaint in accordance with the Regulations - providing personal data is of a contractual nature, and failure to provide them will result in the inability to report and consider the warranty or complaint in accordance with the provisions contained in the Regulations,
  11. In order to answer the questions received (correspondence) - providing personal data is voluntary and contractual, and failure to provide them will result in the inability to answer the questions asked and the inability to implement the provisions resulting from the Regulations,
  12. In order to send commercial information (e.g. in the form of a Newsletter) by electronic means or direct marketing by phone in relation to own products and services - providing personal data is voluntary, and failure to provide them will result in the inability to send commercial information or direct marketing in for own products and services. Please be advised that if you agree to receive commercial information by electronic means in the form of a Newsletter, the consent may be revoked at any time by clicking on the link "Unsubscribe from the Newsletter" included in each Newsletter issue,
  13. In connection with the online forum run by the Controller, available at: https://forum.muve.pl/ - providing personal data is voluntary and contractual, and failure to do so will result in the inability to use the online forum. At the same time, we would like to inform you that the use of the online forum remains at the User's discretion and does not affect other provisions resulting from the Regulations,
  14. In order to conduct a User satisfaction survey in the form of a satisfaction survey - providing personal data is voluntary and does not affect other provisions that may connect the parties under the Regulations, and failure to do so will result in the inability to conduct a User satisfaction survey,
  15. In order to implement the loyalty programs proposed by the Controller - then information on the processing of personal data will be available in dedicated records related to the implementation of loyalty programs,
  16. For other purposes, while the content of Art. 12 and art. 13 GDPR will then be presented individually for the respective processing purpose.

In Information on automated decision making, including profiling

Please be advised that by entering the Controller's website, you are not subject to automated decision making, including profiling. Information on the cookies used by the Controller is available in the Cookies Policy at: https://muve.pl/zobacz-takze/informacje-o-cookies. Please be advised that in the case of entities such as: Facebook, Google, YouTube, Instagram, profiling may take place, and information on this profiling is available in the privacy policies available on the websites of the above-mentioned entities:

a) Facebook: https://pl-pl.facebook.com/privacy/explanation,

b) YouTube: https://www.youtube.com/intl/pl/about/ ,

c) Google: https://policies.google.com/privacy?gl=PL&hl=pl,

d) Instagram: https://pl-pl.facebook.com/help/instagram/519522125107875.

What is the source of the data?

Personal data is provided directly from the data subject. In the event that personal data is obtained indirectly from the data subject, we inform about the source of the data. In the case of legal persons, the source of personal data may be the publicly available registers (KRS and CEIDG) and the legal person that transfers the personal data of persons designated on behalf of the legal entity to represent it or to implement the provisions concluded between the parties.

What scope of personal data is processed?

The Controller processes personal data to the extent necessary to achieve the purposes of processing indicated in the Privacy Policy. In accordance with the principle of minimization, we process only the scope of personal data necessary to achieve the purpose of processing.

How do we secure personal data?

Please be advised that in order to protect privacy and personal data, the Controller has implemented appropriate physical, technical, organizational and legal measures to ensure the security of personal data processing and to ensure the implementation of the rights and freedoms of natural persons.

Processing of personal data using social media

Please be advised, the Controller runs Fanpage via Facebook social media: https://www.facebook.com/muvepl,  https://www.facebook.com/MuveSmile  and on Instagram: https://www.instagram.com/muvepl /. Please be advised that in the event that the Controller decides on the purposes and methods of data processing, he becomes the Controller for this personal data and entrusts the processing of personal data to social media. In the case of the processing of personal data by social media for purposes not specified by the Controller, he is not responsible for the further processing of personal data, including, inter alia, in the form of cookies used by them, profiling tools, tools for creating statistics and other purposes, and thus is not responsible for the consequences of violating the security of personal data processing by social media. Please be advised that in the case of Fanpage data on Facebook held by the Controller, personal data is transferred outside the EEA (to a third country), to entities that may not guarantee a sufficient level of personal data protection, privacy protection, may not ensure the implementation of rights and / or freedoms data subjects. The negative effects of transferring personal data outside the EEA may be property or non-material damage, loss of control over your data, inability to exercise the rights or freedoms of data subjects under the GDPR. Please be advised that the use of Fanpage on Facebook by natural persons is completely voluntary and depends only on the decision of the data subject. In addition, we would like to inform you that the negative effects for the protection of personal data and the protection of users' privacy run by the Fanpage Controller may include, among others (based on Recital 75 GDPR): pecuniary or non-pecuniary damage, discrimination, identity theft, identity fraud, financial loss, breach of reputation, breach of confidentiality of personal data protected by professional secrecy, unauthorized reversal of pseudonymization or any other significant economic damage or social, depriving a natural person of rights and freedoms or the ability to exercise control over their personal data, and other material and immaterial effects for a natural person. We would like to remind you that each FB user may, within the framework of the rights under the currently applicable provisions of law in the field of privacy protection and personal data protection, on their own request from social media exhaustive information on the violation and pursuing claims (Art. 80 and 82 GDPR). Please be advised that Fanpage users may submit a complaint directly to supervisory authority (PUODO) via the form available at: https://uodo.gov.pl/pl/.

Joint controllership

Please be advised that in connection with the Controller's data on Facebook Fanpage (https://www.facebook.com/muvepl and https://www.facebook.com/MuveSmile) and the use of the "Like" plugin on the internet forum, between the Controller and Facebook Ireland Limited, with its registered office at 4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland (Controller), is the process of joint controllership of personal data. Pursuant to Art. 26 GDPR, we would like to inform you that the joint controllerships have made common arrangements regarding their obligations under the GDPR. Information on joint arrangements between the Joint controllerships is available at: https://www.facebook.com/legal/controller_addendum - effective date: August 31, 2020. Please be advised that due to the joint controllership process with Facebook Irland Limited, FB may transfer personal data outside the EEA (to a third country), which may not ensure sufficient protection of personal data, exercise the rights and / or freedoms of data subjects, privacy protection. We would like to inform you about the right to make inquiries regarding the joint controllership process individually for each of the joint controller. Please be advised that the supervisory authority competent for Facebook Irland Limited is Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland (as amended): https://www.dataprotection.ie/.

Processing of personal data based on the consent

Please be advised that in the case of processing personal data based on the consent of the data subject (Article 6 (1) (a) of the GDPR):

  1. In order to send commercial information (e.g. in the form of a Newsletter) by electronic means or direct marketing by phone in relation to own products and services, the data subject has the right to withdraw the consent granted to processing at any time, without affecting the implementation provisions resulting from the Regulations. Withdrawal of consent may be reported in the selected form, in accordance with the contact details provided to the Controller indicated above. Please be advised that if you agree to receive commercial information by electronic means in the form of a Newsletter, the consent may be revoked at any time by clicking on the link "Unsubscribe from the Newsletter" included in each Newsletter issue,
  2. In connection with the online forum run by the Controller, available at: https://forum.muve.pl/ - personal data in the field of nickname, pseudonym, name, surname, image in the form of a photo, avatar (avatar), information provided in comments - processing takes place with the consent of the data subject, expressed by posting the above-mentioned personal data on his profile on the internet forum. Please be advised that the placement of the above-mentioned personal data is voluntary and fully at the discretion of the User of the online forum,
  3. In order to conduct a User satisfaction survey in the form of a satisfaction survey - the data subject has the right to withdraw the consent granted for processing at any time, without affecting the implementation of the provisions resulting from the Regulations. Withdrawal of consent may be reported in the selected form, in accordance with the contact details provided to the Controller indicated above.

Personal data breach notifications

We hereby inform that pursuant to Art. 34 GDPR, in the event of a breach of personal data protection that may result in a high risk of violation of the rights or freedoms of natural persons, the Controller shall notify the data subject of such a personal data breach without undue delay. Please be advised that pursuant to Art. 34 GDPR, personal data may be processed in connection with the personal data breach referred to above. Please be noted that the legal basis for the processing of personal data is art. 6 (1) lit. c) GDPR. Please be advised that in the event of a personal data breach, the Controller will take all possible and available technical and organizational measures to meet the requirements set out in art. 33 and art. 34 GDPR.


[3] Information provided when collecting data from the data subject - art. 13 GDPR

[4] Art. 10 of the Act on Providing Services by Electronic Means (http://isap.sejm.gov.pl/isap.nsf/DocDetails.xsp?id=WDU20021441204)