1. Data Controller
- The Controller of personal data within the meaning of Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27.04.2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and the repeal of Directive 95/46/EC (RODO) is Paweł Weichhold performing business activity under the name World Chess Community IM Paweł Weichhold at the address Strzelino 32 lok. 2, 76-200 Strzelino, NIP: 8393046628, Statistical number [REGON]: 389818609.
- Contact with the Data Controller: email@example.com.
- The controller pursuant to Article 32(1) of the GDPR shall observe the principle of personal data protection and shall use appropriate technical and organizational measures to prevent accidental or unlawful destruction, loss, modification, unauthorized disclosure of or unauthorized access to personal data processed in connection with its operations.
- Provision of personal data is voluntary, but necessary in order to establish cooperation and/or enter into a contract with the data controller.
- The data controller processes personal data only to the extent necessary for the proper provision of services or to take action at the request of the data subject.
2. Purpose and basis of personal data processing
The Controller processes personal data for the following purposes:
- provision of services electronically through the Website, based on the concluded agreement (Article 6(1)(b) GDPR);
- handling of the complaint process, based on the obligation of the data controller under applicable laws (Article 6(1)(c) of the GDPR);
- accounting related to the issuance and acceptance of billing documents, based on the provisions of tax law (Article 6(1)(c) of the GDPR);
- archiving data for possible establishment, investigation or defense against claims or the need to prove facts, which is a legitimate interest of the data controller (Article 6(1)(f) GDPR);
- contact by phone or email, in particular in response to inquiries made to the data controller, which is a legitimate interest of the data controller (Article 6(1)(f) GDPR);
- sending technical information regarding the operation of the Website and the services used by the customer, which is a legitimate interest of the data controller (Article 6(1)(f) GDPR);
- marketing, which is its legitimate interest (Article 6(1)(f) of the GDPR) or is based on previously granted consent (Article 6(1)(a) of the GDPR).
3. Data Recipients. Transfer of data to third countries
- Recipients of personal data processed by the data controller may be entities cooperating with the data controller, when this is necessary for the performance of a contract concluded with the data subject.
- Recipients of personal data processed by the data controller may also be subcontractors – entities whose services are used by the data controller for data processing, e.g. IT service providers (including hosting services).
- The data controller may be obliged to make personal data available on the basis of applicable laws, in particular to make personal data available to authorized state authorities or institutions.
- Personal data in connection with the controller’s use of Facebook’s Pixel tools (pursuant to §7) may be transferred to an entity located outside the European Economic Area, such as Meta Platforms Inc. As an appropriate data protection measure, the data controller has agreed to standard contractual clauses in accordance with Article 46 GDPR with the providers of these services. More information available at: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu_en
4. Personal details storage period
- The data controller shall keep personal data for the duration of the contract concluded with the data subject and after its termination for purposes related to the assertion of claims related to the contract, the performance of obligations under applicable laws, but for no longer than the statute of limitations under the Civil Code.
- The data controller shall keep personal data contained on billing documents (e.g. invoices) for the period indicated by the provisions of the Value Added Tax Act and the Accounting Act.
- The data controller shall keep personal data processed for marketing purposes for a period of 10 years, but no longer than until you withdraw your consent to the processing or object to the processing.
- The data controller shall keep personal data for purposes other than those indicated in sections 1 through 3 for a period of 3 years, unless consent for data processing has been previously withdrawn, and data processing cannot be continued on any other basis than the consent of the data subject.
5. Rights for data subjects
- Every data subject has the right:
- of access – to obtain confirmation from the controller as to whether its personal data is being processed. If data about a person is processed, he or she is entitled to access it and obtain the following information: the purposes of the processing, the categories of personal data, information about the recipients or categories of recipients to whom the data have been or will be disclosed, the duration of data storage or the criteria for determining it, the right to request rectification, erasure or restriction of the processing of personal data of the data subject, and the right to object to such processing (Article 15 GDPR);
- to obtain a copy of the data – to obtain a copy of the data being processed, with the first copy being free of charge, and for subsequent copies the controller may charge a reasonable fee based on administrative costs (Article 15(3) of the GDPR);
- to rectify – to request the rectification of personal data pertaining to it that is incorrect or the completion of incomplete data (Article 16 of the GDPR);
- to erasure – to request the deletion of his/her personal data if the controller no longer has a legal basis for processing it or the data are no longer necessary for the purposes of processing (Article 17 of the GDPR);
- to restrict processing – request restriction of processing of personal data (Article 18 GDPR), when:
– the data subject questions the accuracy of the personal data – for a period that allows the controller to verify the accuracy of the data,
– processing is unlawful, and the data subject objects to the erasure of the data by requesting restriction of its use,
– the controller no longer needs the data, but it is needed by the data subject to establish, assert or defend a claim,
– the data subject has objected to the processing – until it is determined whether the legitimate grounds on the part of the controller override the grounds of the data subject’s objection;
- to transfer data – to receive in a structured, commonly used, machine-readable format the personal data concerning him or her that he or she has provided to the controller, and to request that the data be sent to another controller if the data are processed on the basis of the data subject’s consent or a contract with him or her, and if the data are processed by automated means (Article 20 GDPR);
- to object – to object to the processing of her personal data for the legitimate purposes of the controller, on grounds related to her particular situation, including profiling. Then the controller shall assess the existence of valid legitimate grounds for the processing, overriding the interests, rights and freedoms of the data subjects, or grounds for establishing, asserting or defending claims. If, according to the assessment, the interests of the data subject outweigh the interests of the controller, the controller will be obliged to stop processing the data for these purposes (Article 21 of the GDPR).
- In order to exercise the aforementioned rights, the data subject should contact, using the contact details provided, the controller and inform him/her of which right and to what extent he/she wishes to exercise it.
- The data subject has the right to file a complaint with the supervisory authority, which is the President of the Office for Personal Data Protection in Warsaw.
Personal data obtained by the data controller will not be processed by automated means – including profiling.
7. Facebook Pixel
- The Controller uses Facebook Pixel, an analytics tool that helps measure the effectiveness of ads based on analysis of users’ actions on the site.