Privacy policy

We respect your privacy and are committed to protecting your personal data. This privacy notice will inform you as to how we look after your personal data and tell you about your privacy rights and how the law protects you.

CONTENTS:

  1. GENERAL PROVISIONS
  2. BASES FOR PROCESSING OF DATA
  3. PURPOSE, BASIS, PERIOD AND EXTENT OF PROCESSING OF DATA ON THE WEBSITE
  4. RECIPIENTS OF THE DATA ON THE WEBSITE
  5. PROFILING ON THE WEBSITE
  6. RIGHTS OF THE DATA SUBJECT
  7. COOKIES ON THE WEBSITE, OPERATIONAL DATA AND ANALYTICS
  8. FINAL PROVISIONS

GENERAL PROVISIONS

  1. This privacy policy of the Website is for information purposes, which means it is not a source of obligations for Customers of the Website. Privacy policy contains first and foremost rules of processing of the personal data by the Administrator on the Website and rights of the data subject as well as information regarding the use of cookies and analytical tools on the Website.
  2. The Administrator of the personal data collected via the Website is „The Market and Social Research Institute” Foundation with its registered office in Warsaw (address: 00-807 Warsaw, Al. Jerozolimskie nr 96), NIP: 7010413440, REGON: 14711540400000, entered into the register of associations, other social and professional organisations, foundations and public health care institutions under number KRS 0000495043, which registration files are kept in the District Court for the capital city of Warsaw, 12th Commercial Division of the National Court Register, represented by: Marcin Duma – Chairman of the Board, who is authorized to represent the Foundation individually and e-mail address: biuro@ibris.pl – hereinafter referred to as „the Administrator” which is also the Service Provider of the Website.
  3. Personal data on the Website is processed by the Administrator in accordance with applicable law, in particular with the regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (general data protection regulation) – hereinafter referred to as ‘GDPR’. The official text of the GDPR: http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELEX%3A32016R0679
  4. Using the Website, including entering into contracts is voluntary. Similarly, providing the personal data by the user of the Website is voluntary, subject to two exceptions: (1) entering into contracts with the Administrator – in case of failure to provide personal data in cases and in extent indicated on the Website and in the Regulations of the Website and this privacy policy, which is necessary to enter into and perform a contract for the provision of Electronic Service with the Administrator results in the inability to enter into this contract. Providing personal data is in this case a contractual requirement and if the data subject wants to enter into given contract with the Administrator, he or she has to provide the required data. Each time, the extent of data required to enter into a contract is indicated beforehand on the Website and in the Regulations of the Website; (2) statutory obligations of the Administrator – providing personal data is a statutory obligation resulting from generally applicable laws that impose on the Administrator an obligation to process personal data  (e.g. processing data for the purpose of keeping tax and account books ) and failing to provide them will prevent the Administrator from performing those obligations.
  5. The Administrator takes special care to protect the interests of the data subjects whose personal data they process, and in particular is responsible and ensures that  the data he collects is: (1) processed lawfully; (2) collected for specified, legitimate purposes and not subject to further processing incompatible with those purposes; (3) content related and appropriate in relation to the purposes for which they are processed; (4) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed and (5) processed in a manner that ensures appropriate safety of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
  6. Taking into account the nature, extent, context and purposes of processing as well as the risk of violation of the rights or natural persons’ freedoms with different probability and severity of the threat, the Administrator implements the appropriate technical and organizational measures for the processing to take place in accordance with this regulation and to be able to prove it. Those measures are reviewed and updated if necessary. The Administrator uses technical measures that prevent the acquisition and modification by unauthorized persons the personal data sent electronically.

BASES FOR PROCESSING OF DATA

  1. The Administrator is authorized to process personal data if and to the extent that at least one of the following applies: (1) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; (2) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (3) processing is necessary for compliance with a legal obligation to which the Administrator is subject; or (4) processing is necessary for the purposes of the legitimate interests pursued by the Administrator or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
  2. Processing of personal data by the Administrator requires each time at least one of the basis indicated in section 2.1 of the privacy policy. Specific bases of the processing of personal data of the Customer of the Website by the Administrator are indicated in the next section of the privacy policy – in relation to the given purpose of the processing of personal data by the Administrator.

PURPOSE, BASIS, PERIOD AND EXTENT OF PROCESSING OF DATA ON THE WEBSITE

  1. Each time the purpose, basis, period and extent as well as the recipients of the personal data processed by the Administrator result from actions taken by a given Customer on the Website.
  2. The Administrator may process personal data on the Website for the following purposes, on the following bases, within periods and to the following extent:

Performance of a contract for the provision of Electronic Service

Lawful basis of the processing and storage period: Article 6(1) point (b) of the GDPR (performance of a contract) The data is stored for the period necessary to perform, terminate or expire a contract concluded in a different manner.

Extent of the processing of data: Maximum extent: name; e-mail address; contact number; street name, building number, suite number, postal code, town, country, home address/business address/registered office address. In the case of non-consumer Customers the Administrator may additionally process the company’s name and tax identification number  (NIP) of the Customer.

Direct marketing

Lawful basis: Article 6(1) point (f) of the GDPR (legitimate interest of the Administrator). The data is stored for the duration of legitimate interest pursued by the Administrator, but no longer than the period of limitation of claims in relations to the data subject, due to the business activity run by the Administrator. The limitation period is defined by the law, in particular by the civil code (the basic period of limitation for claims related to running a business is three years, and for a contract of sale two years). The Administrator cannot process data for direct marketing purposes if the data subject objected in this regard.

Extent of the processing of data: E-mail address

Marketing

Lawful basis: Article 6(1) point (a) of the GDPR (consent). The data is kept until the data subject withdraws his or her consent for further processing of his or her data for this purpose.

Zakres: Name/surname, e-mail address

Tax and account books

Lawful basis: Article 6(1) point (c) of the GDPR in relation to Article 86 § 1 of the Tax Ordinance Act i.e. from 17 January 2017 (Dz.U. (Journal of Laws) from 2017  item 201) or Article 74(2) of the The Accounting Act i.e. from 30 January 2018 (Dz.U. (Journal of Laws) from 2018 item 395). The data is stored for a period required by law that orders the Administrator to keep the tax books (until the day the statute of limitations of the tax obligation expires, unless statutory tax law provides otherwise) or account books (5 years, counting from the beginning of the year following the financial year that the data concern).

Extent of the processing of data: Name; home address/business address/registered office address (if it differs from the delivery address), name of the company and tax identification number  (NIP) of the Customer.

Establishment, investigation or defense of claims that may be raised by the Administrator or that may be raised against the Administrator

Lawful basis: Article 6(1) point (f) of the GDPR The data is stored for the duration of legitimate interest pursued by the Administrator, but no longer than the period of limitation of claims in relations to the data subject, due to the business activity run by the Administrator. The limitation period is defined by the law, in particular by the civil code (the basic period of limitation for claims related to running a business is three years, and for a contract of sale two years).

Extent of the processing of data: Name; contact number; e-mail address; delivery address (street name, building number, suite number, postal code, town, country), home address/business address/registered office address (if it differs from the delivery address). In the case of non-consumer Customers the Administrator may additionally process the company’s name and tax identification number  (NIP) of the Customer.

RECIPIENTS OF THE DATA ON THE WEBSITE

  1. For the proper functioning of the Website, including the implementation of contracts for the provision of electronic services, it is necessary for the Administrator to use the services of external entities (such as e.g. software supplier). The Administrator uses only services of such processors that provide sufficient guarantees to implement the appropriate technical and organizational measures, so that the processing meets the requirements of the GDPR and protects the rights of the data subjects.
  2. The data transfer by the Administrator does not happen in each case and not to all recipients or categories of recipients indicated in the privacy policy – the Administrator transfers data only when it is necessary for performance of a given purpose of the processing of personal data and only to an extent necessary for the performance.
  3. Personal data of Customers of the Website may be transferred to the following recipients or categories of recipients

3a. Service providers that supply the Administrator with technical, IT and organizational solutions that enable the Administrator to run business activity, including the Website and Electronic Services provided via it (in particular computer service suppliers for runing the Website, e-mail and hosting suppliers as well as software suppliers for company management and technical support for the Administrator) – the Administrator makes the collected personal data of the Customer accessible to a selected supplier, who acts on his or her behalf only if and to the extent necessary to fulfil a given purpose of data processing compatible with this privacy policy.

3b. Suppliers of accounting, legal and advisory services that provide the Administrator accounting, legal or advisory support (in particular an accounting office, law firm or debt collection agency) – the Administrator makes the collected personal data of the Customer accessible to a selected supplier, who acts on his or her behalf only if and to the extent necessary to fulfil a given purpose of data processing compatible with this privacy policy.

PROFILING ON THE WEBSITE

  1. GDPR creates an obligation for the Administrator to inform about automated decision making, including profiling referred to in Article 22(1) and (4) of the GDPR, and – at least in those cases – about vital information about the rules for taking them as well as their significance and predicted consequences of such processing for the data subject . With this in mind, the Administrator provides in this section of the privacy policy information concerning possible profiling.
  2. The Administrator may use profiling on the Website for direct marketing purposes, but decisions made on the basis of it by the Administrator do not concern entering into a contract or refusing to enter into a contract for the provision of electronic services or the possibility of using Electronic Services on the Website. The result of using profiling on the Website may be e.g. sending a proposal that can correspond to the interests or preferences of a given person or proposing better conditions compared to the standard offer of the Website. Despite profiling, a given person makes a free decision whether he or she wants to use a discount received in this way or better conditions and make a purchase on the Website.
  3. Profiling on the Website is based on an automatic analysis or forecast of the behavior of a given person on the Website or through an analysis of the previous history of activities taken on the Website. The condition of such profiling is for the Administrator to have the personal data of a given person in order to be able to send him or her e.g. a discount code.
  4. The data subject has the right not to be subject to a decision that is based solely on automated processing, including profiling, and produces legal effects against this person or affects this person substantially in a similar way.

RIGHTS OF THE DATA SUBJECT

  1. Right of access, right to rectification, right to restriction, right to erasure or right to portability – the data subject shall have the right to request from the Administrator an access to his or her personal data, their rectification, erasure (‘right to be forgotten’) or restriction of processing and has the right to object to the processing as well as to transfer his or her data. Detailed conditions of exercising the abovementioned rights are indicated in Articles 15-21 of the GDPR.
  2. Right to withdraw consent at any time – the person, whose data is processed by the Administrator on the basis of their consent (on the basis of Article 6(1) point (a) or Article 9(2) point (a) of the GDPR), shall have the right to withdraw the consent at any time without affecting the lawfulness of the processing which was made on the basis of the consent prior to its withdrawal.
  3. Right to lodge a complaint with a supervisory authority – the person, whose data is processed by the Administrator shall have the right to lodge a complaint with a supervisory authority in a manner and mode specified in provisions of the GDPR and Polish law in particular the Act on the Protection of Personal Data. The supervisory authority in Poland is the President of Personal Data Protection Office.
  4. Right to object – The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on Article 6(1) point (e) (interest or public service) or (f) (legitimate interest of the Administrator), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.
  5. Right to object that concerns direct marketing – Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

COOKIES ON THE WEBSITE, OPERATIONAL DATA AND ANALYTICS

  1. Cookies are small text information in the form of text files sent by the server and saved on the side of the person visiting the Website (e.g. on a hard drive of a computer, laptop or on a smartphone’s memory card – depending on what device the user of our Website is using). Detailed information about Cookies files and the history of their making can be found i.a. on: http://pl.wikipedia.org/wiki/Ciasteczko.
  2. The Administrator may process the data contained in Cookies when visitors use the Website for the following purposes:
  • identification of the Customers as logged in to the Website and showing that they are logged in;
  • remembering the data from filled out forms or login details to the Website;
  • customizing the content of the Website for the individual preferences of the Customer (e.g. regarding colors, font size, page layout) and optimizing the use of the Website pages;
  • keeping anonymous statistics that show how the Website is used;
  • remarketing, that is, research on the behavior of visitors of the Website by anonymous analysis of their activities (e.g. repeated visits to the specific pages, key words, etc.) in order to create their profile and to provide them with advertisements fitted for their expected interests, also when they visit other websites in the advertising network of Google Inc. and Facebook Ireland Ltd

Normally, most of the web browsers available on the market accept Cookies by default. Everyone has the possibility to define the terms of using Cookies in the settings of own web browser. This means that you can e.g. partially restrict (e.g. for the time being) or completely disable the option of saving Cookies – in the last case, however, it may affect some of the functionalities of the Website.

Web browser settings in the scope of Cookies are important from the point of view of the consent to use Cookies by our Website – in accordance with the law such consent may be also given through the settings of the web browser. In the absence of such consent the setting of the web browser within the scope of Cookies should be changed accordingly.

Detailed information about changing the settings regarding Cookies and their removal by oneself on the most popular web browsers is available in the help section of the web browser and the following web pages (just click on a link):

in the Chrome browser

in the Firefox browser

in the Internet Explorer browser

in the Opera browser

in the Safari browser

in the Microsoft Edge browser

The Administrator may use in the Online Store the services from Google Analytics, Universal Analytics, Google Tag Manager provided by Google Inc. (1600 AmphitheatreParkway, MountainView, CA 94043, USA), the tools provided by Gemius SA (ul. Domaniewska 48, 02-672 Warsaw), the tools provided by Alexa Internet, Inc. (PresidioBuilding 37, San Francisco, CA 94129-0141, USA). These services help the Administrator to analyze the web traffic in the Online Store. The data collected is processed as a part of the abovementioned services in an anonymized way (those are so-called operational data that prevent the person from being identified) to generate statistics that are helpful with administering the Online Store. Those data are aggregate and anonymous in nature, i.e. they do not contain identification features (personal data) of the person visiting the website of the Online Store. The Administrator by using the abovementioned services in the Online Store collects such data as the source and medium of obtaining visitors to the Online Store and the way that they behave on the website of the Online Store, information about devices and browsers that they use to visit the website, IP and domain, geographic data and demographic data (age, sex) and interests.

b) It is possible by a given person to easily block the providing of information about his or her activity on the Website to Google Analytics – you can install the browser plug-in provided by Google Inc. available on: https://tools.google.com/dlpage/gaoptout?hl=pl

The Administrator may use on the Website the Facebook Pixel service provided by Facebook Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland). This service helps the Administrator to measure the effectiveness of advertisements and to find out what activities are being undertaken by the visitors of our Website as well as to display fitted ads to those persons. You can find detailed information about the operation of Facebook Pixel at the following address: https://www.facebook.com/business/help/742478679120153?helpref=page_content. Managing the operation of Facebook’s Pixel is possible through the ads settings on your account on Facebook.com: https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen

FINAL PROVISIONS

The Website may contain links to other websites. After going to other websites, the Administrator encourages to read the privacy policy established on those websites,. This privacy policy concerns only the Website of the Administrator.