Controller – Perła – Browary Lubelskie S.A. based in Lublin, ul. Bernardyńska 15, 20-950.
Personal data – all information on a natural person identified or identifiable with one or several specific factors specifying the physical, physiological, genetic, mental, economic, cultural or social identity, including the IP of the device, location data, the online identifier and information collected through cookies and other similar technologies.
GDRP – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
User – each natural person visiting the Website or using on or more services or functionalities described in the Policy.
Processing data related to the use of the website
Due to the use of the Website by the User, the Controller collects data in the scope necessary to provide the respective services and information on the User's activity on the Website. Below there are detailed rules and purposes for the processing of Personal Data collected during the use of the Website by the User.
Purposes and legal basis for data processing on the website
Using the website
Personal data of all persons using the Website (including data on reaching the age of 18, IP or other identifiers and information collected through cookies or other similar technologies) who are not registered Users (i.e. persons without a profile on the Website), are processed by the Controller:
for the purpose of providing services through electronic means, in terms of providing Users with access to the content of the Website – in such case the legal basis for processing is the necessity of the processing for the performance of a contract (Article 6 (1) (b) of the GDRP);
for analytical and statistical purposes – in such case the legal basis for processing is the legitimate interests pursued by the Controller (Article 6 (1) (f) of the GDRP) consisting in the analyses of Users' activity and their preferences in order to improve the available functionalities and services provided;
for the purpose of the potential determination and pursing claims or protection against claims – the legal basis for the processing is the legitimate interests pursued by the Controller (Article 6 (1) (f) of the GDRP) consisting in the protection of its rights;
User's activity on the Website, including their personal data, are recorded in system logs (a special computer program for recording in a chronological order information on events and actions related to the IT system used for the provision of services by the Controller). Information collected in logs is processed primarily for purposes related to the provision of services. The Controller processes it also for technical and administrative purposes, in order to ensure the security of the IT system and to manage the system, and also for analytical and statistical purposes – in this respect, the legal basis for the processing is the legitimate interests pursued by the Controller (Article 6 (1) (f) of the GDRP).
The Controller shall process the Personal Data of Users visiting the Controller's social media profiles (Facebook, Instagram). The data are processed in relation to running a profile, in order to inform Users of the Controller's activities and promote various events, services and products. The legal basis for the processing of Personal Data by the Controller for this purpose is the legitimate interests pursued by the Controller (Article 6 (1) (f) of the GDRP) consisting in the promotion of its own brand. More information on the processing of Personal Data is available on our social media profiles.
Cookies and similar technologies
Cookies are small text files installed on the device of the User browsing the Website. Cookies collect information that makes it easier to use the website, e.g. by remembering User's visits to the Website and their activity.
user input cookies (session identifiers) for the duration of a session;
authentication cookies used for services requiring authentication for the duration of a session;
user centric security cookies, used for detecting violations during authentication;
multimedia player session cookies (e.g. flash player cookies) for the duration of a session;
permanent user interface customisation cookies for the duration of a session or a short time after.
Analytical and marketing tools used by the Controller's partners
Google Analytics cookies are files used by the Google company in order to analyse the manner of using the Website by the User and to create statistics and reports on the functioning of the Website. Google does not use data collected for User identification or combine the information to enable their identification. Detailed information on the scope and rules of collecting data in relation to the service can be found under the link: https://www.google.com/intl/pl/policies/privacy/partners.
Google AdWords is a tool enabling the measuring of the effectiveness of advertising campaigns run by the Administrator, enabling the analysis of such data as keywords or the number of unique users. The Google AdWords platform also enables the displaying of our ads to people who have visited the Website. Information on the processing of data by Google within the above service is available under the link: https://policies.google.com/technologies/ads?hl=pl.
Facebook Pixel is a tool making it possible to measure the effectiveness of advertising campaigns carried out by the Controller on Facebook. The tool enables advanced data analytics in order to optimise the Controller's activities, also with the use of other tools offered by Facebook. Detailed information on data processed by Facebook is available under the link: https://pl-pl.facebook.com/help/443357099140264?helpref=about_content.
Managing cookies settings
The consent is not required only for cookies the use of which is necessary for the provision of a telecommunications service (data transmission in order to display content).
The terms of data processing by the Controller depends on the type of service and the purpose of the processing. As a rule, data are processed for the time during which a service is provided or an order is fulfilled until the consent is revoked or an effective objection to data processing in cases when the legal basis for the data processing is the legitimate interests pursued by the Controller.
The data processing term can be extended in the case when the processing is necessary to establish and make potential claims or defend against such claims, and after that time only in the case and in the scope required by law. After the lapse of the processing term, the data are irreversibly erased or rendered anonymous.
Authorisations related to personal data processing
Data subject rights
Data subjects are entitled to the following rights:
the right to information on personal data processing – on this basis the Controller provides to a natural person submitting a request information on data processing, primarily on the purposes and legal bases for the processing, the range of the data, the entities to which they are disclosed and the planned date of erasure of such data;
the right to obtain copies of data – on this basis the Controller provides a copy of the processed data regarding the natural person submitting the request;
the right to rectify – the Controller shall remove any discrepancies or errors in the processed Personal Data and supplement them if they are incomplete;
the right to erase data – on this basis it is possible to request the erasure of data the processing of which is no longer necessary for the fulfilment of none of the purposes for which they were collected;
the right to restrict processing – in the event of receiving such request, the Controller will discontinue all operations on Personal Data, except for operations to which the data subject consented – and cease to store them in line with the adopted retention rules or until the reasons for data processing restrictions no longer apply (e.g. a decision of a supervisory body will be issued permitting personal data processing);
the right to data portability – on this basis – to an extent to which the data processing is carried out by automated means in relation to a concluded contract or expressed consent – the Controller shall provide data received from the data subject in a computer-readable format. It is also possible to request the provision of the data to another entity, under the condition, however, that this is technically possible both for the Controller and the entity in question;
the right to object to the processing of data for marketing purposes – the data subject may at any moment object to the processing of Personal Data for marketing purposes without the need to justify such request;
the right to object to other purposes of data processing – the data subject may at any moment object to – for reasons related to their specific situation – to the processing of Personal Data on the basis of the legitimate interests pursued by the Controller (e.g. for analytical or statistical purposes or for reasons related to property protection); such objection should be justified;
the right to withdraw the consent – if the data are processed on the basis of an expressed consent, the Data Subject is entitled to withdraw the consent at any moment, which, however, does not have an impact on the legality of the processing carried out before the withdrawal;
the right to lodge a complaint – in the event of finding that the processing of Personal Data infringes on the provisions of the GDPR or other Data Protection regulations, the Data Subject may lodge a complaint to a body supervising Personal Data Processing competent for the place of stay of the Data Subject, their place of work or the place of the alleged infringement. The supervisory body in Poland is the President of the Data Protection Office.
Submitting request related to the exercise of rights
The request referring to the exercising of the rights of Data Subject may be submitted:
in a written form to the Controller's address;
in an electronic form to the email address: email@example.com
If possible, the request should specify precisely the nature of the request, in particular:
the authorisation that the requesting party intends to use (e.g. the right to obtain a copy of the data, to erase the data, etc.)
the type of the processing to which the request related (e.g. the use of a specific service, activity on a specific website, receiving a newsletter with commercial information to a specific email address, etc.);
the purposes of processing to which the request related (e.g. marketing purposes, analytical purposes, etc.).
If the Controller is not able to identify the natural person on the basis of the request, it will apply to the requesting party for additional information. The provision of such data is not obligatory, but their lack will result in a refusal to fulfil the request.
The request may be submitted in person or through a representative (e.g. a family member). For data security reasons, the Controller encourages the use of a power of attorney in a form certified by a civil-law notary or authorised legal counsel or attorney, which will considerably streamline the verification of the authenticity of the request.
The reply to the request should be provided within a month after its receipt. Should it be necessary to extend the time limit, the Controller will inform the requesting party of the reasons for doing so.
In the event when the request was submitted to the Company via electronic means, the answer shall be provided in the same form, unless the requesting party asked for a reply in a different form. In other cases, replies shall be provided in writing. In the event when the time limit for the fulfilment of the request makes a written reply impossible, and the scope of the requesting party's data processed by the Controller enables contact via electronic means, the reply should be provided via electronic means.
The request handling procedure is free of charge. Charges can be collected only in the following cases:
submitting a request to provide the second and each subsequent copy of the data (the first copy is free of charge); in such case the Controller may demand a charge of PLN 200. The above charge includes administrative costs related to the fulfilment of the request;
the submission of excessive (e.g. extraordinarily frequent) or evidently unjustified requests by the same person; in such case the Controller may demand a charge of PLN 500. The above charge includes the costs of communication and costs related to taking the requested actions;
In the event of questioning a decision to impose a charge, the data subject may lodge a complaint to the body supervising Personal Data Processing competent for the usual place of stay of the Data Subject, their place of work or the place of the alleged infringement. The supervisory body in Poland is the President of the Data Protection Office.
Due to the performance of services, Personal Data will be provided to external entities, in particular to suppliers responsible for the delivery and maintenance of IT systems and entities related to the Controller.
The Controller reserves itself the right to disclose selected information regarding the User to competent authorities or third parties following their request to provide such information on a valid legal basis and in line with the provisions of the applicable law.
Transferring data outside the EEA
The level of protection of Personal Data outside the European Economic Area (EEA) differs from the one provided by EU law. For this reason, the Controller shall transfer Personal Data outside the EEA only if this is necessary, with the provision of an appropriate degree of protection, primarily through:
cooperation with entities processing Personal Data in countries for which a suitable decision of the European Commission was issued confirming the provision of an appropriate level of protection of Personal Data;
the application of standard contractual clauses formulated by the European Commission;
the application of binding corporate rules approved by the competent supervisory body;
in the event of transferring data to the US – cooperation with members of the Privacy Shield, approved with a decision of the European Commission.
The Controller shall always notify of the intention to collect Personal Data outside the EEA at the stage of their collection.
Security of Personal Data
The Controller shall carry out a risk analysis on an ongoing basis in order to ensure that it processes Personal Data in a secure manner, primarily that only authorised persons have access to the data and only to an extent necessary for them to perform their tasks. The Controller shall ensure that all operations on Personal Data are recorded and performed only by authorised employees and collaborators.
The Controller shall make all efforts necessary to ensure that its subcontractors and other cooperating entities guarantee the application of suitable security measures in each case of processing Personal Data as part of an assignment from the Controller.
Contact with the Controller is possible through the email address firstname.lastname@example.org or the correspondence address of the Controller.
The Controller appointed a Data Protection Coordinator, who can be contacted through email email@example.com with regard to any Personal Data processing issues.
The Policy is verified on an ongoing basis and updated when necessary.
The current version of the Policy was adopted on 25 November 2019 and has been in force since that date.