TABLE OF CONTENTS:

  1. GENERAL PROVISIONS
  2. DATA PROCESSING BASICS
  3. PURPOSE, BASIS, PERIOD AND SCOPE OF DATA PROCESSING ON THE WEBSITE
  4. DATA RECIPIENTS ON THE WEBSITE
  5. PROFILING ON THE WEBSITE
  6. THE RIGHTS OF THE DATA SUBJECT
  7. COOKIES ON THE WEBSITE, OPERATIONAL DATA AND ANALYSIS
  8. FINAL PROVISIONS
  9. GENERAL PROVISIONS

1. GENERAL PROVISIONS

1.1. This privacy policy of the Website is informative, which means that it is not a source of obligations for the Recipients or Clients of the Website. The privacy policy contains primarily rules for the processing of personal data by the Controller on the Website, including the basis, purposes and scope of personal data processing and the rights of data subjects, as well as information on the use of cookies and analytical tools on the Website.

1.2. The Controller of personal data collected via the Website is EMOTIS Sp. z o.o., Flisa Street 4, 02-247 Warsaw, NIP: 7743235856, REGON: 368071383, included in the Register of Entrepreneurs of National Court Register, kept by the District Court of Warsaw, XIV Economic Department of National Court Register under the KRS number 0000691114, with the share capital of 1 100 000 PLN.; e-mail address: biuro@emotis.pl - hereinafter referred to as „Controller” and being also the Service Provider of the Website and the Seller.


1.3. Contact details of the data protection officer designated by the Controller: Bartłomiej Pejo, contact number: +48 22 230 2006 and e-mail address: iod@emotis.pl.


1.4. Personal data on the Website is processed by the Controller in accordance with applicable law, in particular in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) - hereinafter referred to as „GDPR” lub „GDPR Regulation”. The official text of the GDPR Regulation: http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELEX%3A32016R0679


1.5. Using the Website, including purchases making is voluntary. Similarly, providing personal data by the Recipient or Client using the Website is voluntary, subject to two exceptions: (1) concluding agreements with the Controller - in cases and in the scope indicated on the Website and in the Regulations of Lease and this privacy policy, not providing personal data necessary to conclude and perform the Lease or Sale Agreement with the Controller results in the inability to conclude this agreement. Providing personal data is in this case a contractual requirement and if the data subject wants to conclude a given agreement with the Controller, he or she is obliged to provide the required data. Each time, the scope of data required to conclude the agreement is previously indicated on the Website and in the Regulations of Lease; (2) statutory obligations of the Controller - providing personal data is a statutory requirement resulting from generally applicable law that impose an obligation on the Controller to process personal data (e.g. data processing for the purpose of keeping tax or accounting books) and not providing them makes impossible to the Controller from performing these duties.


1.6. The Controller takes special care to protect the interests of data subjects, in particular is responsible and ensures that the data collected by him are: (1) processed lawfully; (2) collected for specified, legitimate purposes and not further processed in a manner that is incompatible with those purposes; (3) accurate and adequate to what is necessary in relation to the purposes for which they are processed; (4) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed and (5) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.


1.7. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the Controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary. The Controller uses technical measures to prevent the acquisition and modification by unauthorized persons of personal data sent electronically.


1.8. All words, expressions and acronyms appearing in this privacy policy and starting with a capital letter (e.g., the Lessor, Seller, Website) should be understood in accordance with their definition contained in the Regulations of Lease available on the Website.


2. DATA PROCESSING BASICS

2.1. The Controller is entitled to process personal data if and to the extent that at least one of the following applies: (1) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; (2) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (3) processing is necessary for compliance with a legal obligation to which the Controller is subject or (4) processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.


2.2. The processing of personal data by the Controller requires each time at least one of the basis indicated in point 2.1 of this privacy policy. The specific basis for processing the personal data of the Recipients and Clients of the Website by the Controller are indicated in the next point of this privacy policy - in relation to the given purpose of personal data processing by the Controller.


3. PURPOSE, BASIS, PERIOD AND SCOPE OF DATA PROCESSING ON THE WEBSITE

3.1. The Controller may process personal data on the Website for the following purposes, on the following basis, in periods and in the following scope:

The scope of the processed data Legal basis for processing and data retention period The scope of the processed data
Execution of the Lease and Sales Agreement or taking action at the request of the data subject, before concluding the above contracts

Article 6 point 1 letter b) of GDPR (performance of a contract).


The data is stored for the period necessary to perform, terminate or expire in different way of the concluded contract, as well as after the contract has been executed to be made available only to authorized bodies (eg Police, Municipal Police).


The data is stored for the duration of the legitimate interest pursued by the Controller, but no longer than for the period of limitation of claims against the data subject, due to the Controller's business operations and for offenses and crimes committed with the use of a car that is the subject of the Lease. The limitation period is defined by the law, in particular the Civil Code, Offenses Code, Highway Code and Criminal Code (the basic period of limitation for claims related to traffic offense is one years, and ten years for traffic crime).

Maximum scope: name and surname; PESEL; ID number; driver's license number, e-mail address; phone number; delivery address (street, house number, apartment number, postal code, city, country), address of residence / business activity / headquarters (if different from delivery address).

In the case of Clients or Recipients who are not consumers, LAVA may additionally process the company's name and tax identification number (NIP) of those Clients or Recipients.

This is the maximum scope - in the case of, for example, personal collection, it is not necessary to provide the delivery address.

Direct marketing

Article 6 point 1 letter f) of GDPR (the legitimate interests of the controller).

The data is stored for the duration of the legitimate interest pursued by The Controller, but no longer than for the period of limitation of claims against the data subject, due to the Controller's business operations. The limitation period is defined by the law, in particular the Civil Code (the basic period of limitation for claims related to operating a business is three years, and two years for a sales contract).

The controller can not process data for direct marketing purposes in case of effective objection in this regard by the data subject.

Name, surname, phone number, e-mail address
Marketing

Article 6 point 1 letter a) of GDPR (consent).

The data is stored until the data subject withdraws his consent for further processing of his data for this purpose.

Name, surname, phone number, e-mail address
Client's opinion about the concluded Sales Contract

Article 6 point 1 letter a) of GDPR.


The data is stored until the data subject withdraws his consent for further processing of his data for this purpose.

Name, surname, phone number, e-mail address
Bookkeeping

Article 6 point 1 letter c) of GDPR in connection with article 74 point 2 of Accounting Act (ustawa o rachunkowości z dnia 30 stycznia 2018 r. (Dz.U. z 2018 r. poz. 395).

The data is stored for the period required by law requiring the Controller to store tax books (until the tax period expires, unless the tax laws provide otherwise) or accounting books (5 years from the beginning of the year following the financial year to which the data pertain).

Name and surname; address of residence / business activity / headquarters (if different from the delivery address), company name and tax identification number (NIP) of the Recipient or Client
Determination, claiming or defense of claims that may be raised by the Controller or which may be raised against the Controller

Article 6 point 1 letter f) of GDPR.

 
The data is stored for the duration of the legitimate interest pursued by LAVA, but no longer than for the period of limitation of claims against the data subject, due to the business activity conducted by the Controller. The limitation period is defined by the law, in particular the Civil Code (the basic period of limitation for claims related to operating a business is three years, and two years for a sales contract).

Name and surname; phone number; e-mail address; delivery address (street, house number, apartment number, postal code, city, country), address of residence / business activity / headquarters (if different from delivery address).

In the case of Clients or Recipients who are not consumers, the Controller may additionally process the company's name and tax identification number (NIP) of those Clients or Recipients.

4. DATA RECIPIENTS ON THE WEBSITE

4.1. For the proper functioning of the Website, including for the execution of cocluded Sales Agreements, it is necessary for the Controller to use the services of external entities (such as, for example, software provider, courier or payment service provider). The Controller uses only the services of such processors who provide sufficient guarantees to implement the appropriate technical and organizational measures, so that the processing meets the requirements of the GDPR Regulation and protects the rights of the data subjects.


4.2. The transfer of data by the Controller is not in each case and not to all indicated in the privacy policy recipients or categories of recipients – The Controller transmits data only when it is necessary to achieve a given purpose of personal data processing and only to the extent necessary to achieve it. For example, if the Client choses a personal collection, his data will not be transferred to the carrier cooperating with the Controller.


4.3. The personal data of the Recipients and Clients of the Website may be transferred to the following recipients or categories of recipients:


4.3.1. carriers / forwarders / courier brokers - in the case of a Client who choses, on the Website, the method of delivery of the Product or documents (e.g. contracts) by post or courier, the Controller provides the Client's collected personal data to the selected carrier, forwarder or agent performing the shipment on behalf of the Controller to the extent necessary to deliver the product to the Client.

4.3.2. entities handling electronic payments or by credit card - in the case of a Client who uses, on the Website, an electronic payment method or by a credit card, the Controller provides the Client's collected personal data to a selected entity servicing the above payments one the Website on behalf of the Controller to the extent necessary to handle payments made by the Client.

4.3.3. suppliers of the opinion polling system - in the case of a Client who agreed to express an opinion on the concluded Sale or Lease Agreement, the Controller provides the Client's collected personal data to a selected entity providing a system of surveys expressing opinions on the concluded Sales or Lease Agreement on the Website on the request of the Controller to the extent necessary to express an opinion by the opinion polling system.

4.3.4. service providers who provide the Controller with technical, IT and organizational solutions, enabling the Controller to operate business activity, including the Website and Electronic Services provided through it (in particular, computer software suppliers to run the Website, e-mail and hosting providers and software providers for company management and technical support for the Controller) – the Controller provides the collected personal data of the Client to a selected supplier acting on his behalf only in the case and to the extent necessary to achieve a given purpose of data processing in accordance with this privacy policy.

4.3.5. accounting, legal and consulting services providers who provide the Controller with accounting, legal or consulting support (in particular, an accounting office, a law firm or a debt collection company) – the Controller provides the collected personal data of the Client to a selected supplier acting on his behalf only in the case and to the extent necessary to achieve a given purpose of data processing in accordance with this privacy policy.

4.3.6 Insurance companies, brokers and insurance agents, providing insurance support for vehicles rented by the Controller – The Controller provides the Client's personal data to a selected supplier acting on his behalf or on behalf of the Insurance Company only in the case and to the extent necessary to achieve the given purpose (conclusion of an insurance policy, filing of claims, liquidation of the damage).

4.3.7 suppliers of operational automotive services related to the serviving of the Controller's vehicles - the Controller provides personal data of the Client to a selected supplier only in the case and to the extent necessary to achieve a given purpose of data processing (appointment, service, inspection, repair, replacement of tires or other services related to the maintenance of the vehicle fleet).


5. PROFILING ON THE WEBSITE

5.1. The GDPR Regulation imposes on the Controller an obligation to inform about automated decision-making, including profiling referred to in Article 22 point 1 and 4 of the GDPR Regulation, and – at least in these cases – relevant information about the rules for their adoption, as well as the significance and envisaged consequences of such processing for the data subject. Having this in mind, the Controller provides information on possible profiling in this section of the privacy policy.

5.2. The Controller may use profiling on the Webstie for the purpose of direct marketing, but decisions made on its basis by the Controller do not concern the conclusion or refusal to conclude the Sale Agreement, or the possibility of using electronic services on the Website. The effect of using profiling on the Website may be, for example, granting a given person a rebate, sending a rebate code, reminding about unfinished purchases, sending a Product proposal that may correspond to the interests or preferences of a given person, or offering better conditions compared to a standard offer of the Website. Despite profiling, a given person makes a free decision whether he will want to use the rebate received in this way, or better conditions and make a purchase on the Website.

5.3. Profiling on Website consists in the automatic analysis or forecast of the behavior of a given person on the Website, e.g. by adding a specific Product to the shopping cart, browsing a particular Product page on the Website, or by analyzing the previous history of purchases on the Website. A prerequisite for such profiling is that the Controller owns the personal data of a given person in order to be able to send it, e.g. a rebate code.

5.4. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

6. THE RIGHTS OF THE DATA SUBJECT

6.1. The right of access, rectification, restriction, erasure or portability - the data subject has the right to request the Controller to access his personal data, rectify them, erasure ("right to be forgotten") or restrict processing and has the right to object to the processing and has the right to data portability. Detailed conditions for the exercise of the abovementioned rights are indicated in Articles 15-21 of the GDPR Regulation.

6.2. The right to withdraw consent at any time – the data subject has given the Controller consent to the processing of his or her personal data (based on Article 6 point 1 letter a) or Article 9 point 2 letter a) of GDPR Resolution), has the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

6.3. Right to lodge a complaint with a supervisory authority – the person whose data is processed by the Controller, has the right to lodge a complaint with a supervisory authoruty in the manner and mode specified in the provisions of the GDPR Regulation and Polish law, in particular the Act on the Protection of Personal Data (ustawa o ochronie danych osobowych). The supervisory authority in Poland is the President of the Office for Personal Data Protection (Prezes Urzędu Ochrony Danych Osobowych).

6.4. Right to object - the data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on Article 6 point 1 letter (e) (public task and interest) or (f) (legitimate interests pursued by the Controller), including profiling based on those provisions. The Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

6.5. The right to object to direct marketing - if personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing of his personal data for such marketing purposes, including profiling, to the extent that the processing is related to such direct marketing.

6.6. In order to exercise the rights referred to in this section of the privacy policy, you can contact the Controller by sending a relevant message in writing or by e-mail to the Controller's address indicated at the beginning of this privacy policy or using the contact form available on the Website.

7. COOKIES ON THE WEBSITE, OPERATIONAL DATA AND ANALYSIS

7.1. Cookies are small text information in the form of text files, sent by the server and saved on the side of the person visiting the Website (e.g. on the hard drive of the computer, laptop or on the smartphone's memory card - depending on what device the visitor of our Website uses). Detailed information about cookies as well as the history of their creation can be found, among others here: https://en.wikipedia.org/wiki/HTTP_cookie  (http://pl.wikipedia.org/wiki/Ciasteczko).

7.2. The Controller may process data contained in Cookies when users use the Website for the following purposes 

7.2.1. identification of the Registered Users as logged in to the Website and showing that they are logged in;

7.2.2. remembering Products added to the shopping cart in order to place an Order;

7.2.3. memorizing data from completed Order Forms, surveys or login details to the Website;

7.2.4. adjusting the content of the Website to the individual preferences of the Recipient (e.g. regarding colors, font size, page layout) and optimizing the use of the Website pages;

7.2.5. keeping anonymous statistics showing the manner of using the Website;

7.2.6. remarketing, i.e. research on the behavior of visitors to the Website by anonymous analysis of their activities (e.g. repeated visits to specific websites, key words, etc.) in order to create their profile and provide them with advertisements tailored to their expected interests, also when they visit other websites on the Google Inc. Display Network and Facebook Ireland Ltd.;

7.3. By default, most web browsers available on the market implicitly accepts Cookies being saved. Everyone has the possibility to define the terms of using Cookies using the own browser's settings. This means that you can, for example, partially restrict (e.g. temporarily) or completely disable the option of saving Cookies – in the latter case, however, it may affect some of the functionalities of the Website (for example, it may not be possible to pass the order path through the Order Form due to non-memorizing the Products in the shopping cart during subsequent steps of placing the Order).

7.4. Browser settings in the scope of Cookies are important from the point of view of consent to the use of Cookies by our Website – in accordance with the regulations, such consent may also be expressed through the settings of the web browser. In the absence of such consent, the browser's settings in the field of Cookies should be changed accordingly.

7.5. Detailed information on changing Cookies settings and their self-removal in the most popular web browsers are available in the help section of the web browser and on the following pages (just click on the link):

in the Chrome browser
in the Firefox browser
in the Internet Explorer browser
in the Opera browser
in the Safari browser
in the Microsoft Edge browser

7.6. The Controller may use the services of companies providing analytical tools on the Website. These services help the Controller to analyze traffic on the Website. The collected data is processed as part of the above services in an anonymised way (they are so-called operational data that makes it impossible to identify a person) to generate statistics that help in the administration of the Website. These data are aggregate and anonymous, i.e. they do not contain identification features (personal data) of persons visiting the Website. The Controller using the above services on the Website collects such data as the source and medium of obtaining visitors to the Website and the manner of their behavior on the Website, information about devices and browsers from which they visit the website, IP and domain, geographic data and demographic data (age , sex) and interests.

7.7. The Controller may use the Facebook Pixel service provided by Facebook Ireland Limited (4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland) one the Website. This service helps the Controller to measure the effectiveness of advertisements and find out what activities visitors of the website are taking, as well as display specific advertising to these people. Detailed information on the operation of the Facebook Pixel can be found at the following Internet address: https://www.facebook.com/business/help/742478679120153?helpref=page_content.

7.8. Managing the operation of Facebook Pixel is possible through the settings of advertisements in his account on Facebook.com: https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen.

8. FINAL PROVISIONS

8.1. The Website may contain links to other websites. The Controller suggest that after going to other websites, read the privacy policy established there. This privacy policy applies only to the Controller's Website.