1. Definitions
1.1. Data Controller or Cyfrowy Polsat – Cyfrowy Polsat S.A., 4a Łubinowa Street, 03-878 Warszawa, entered in the Register of Businesses in the National Court Register which is maintained by the District Court for the Capital City of Warsaw in Warsaw, KRS reg. no. 0000010078, NIP (tax ID) 796 18 10 732, with share capital of PLN 25,581,840.64 (fully paid).
1.2. Personal data – all the information regarding a natural person which has been identified or can be identified by one or several traits defining the person’s the physical, physiological, genetic, psychic, economic, cultural or social identity, including the device’s IP address, location data, Internet identifier and the information gathered using cookies as well as any other technologies of similar nature, if such data enables User identification.
1.3. Privacy Policy – the present Privacy Policy.
1.4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
1.5. Service – the web service operated by the Data Controller at the following address: www.grupapolsatplus.pl.
1.6. User – any natural person accessing the Service or using one or several features offered by the Service.
1.7. Trusted Partner – an entity which whom the Data Controller cooperates. The Trusted Partner provides marketing content which matches a User’s needs or acts as an intermediary in providing such content.
2. Data processing connected with use of the Service
2.1. The Privacy Policy describes the principles of use of cookies or other similar technologies as well as the principles of processing of the personal data gathered in the course of use of the Service by the User.
2.2. In connection with use of the Service by the User, the Data Controller collects the User’s data in the scope that is necessary to enable provision of respective services offered by the Service, as well as the information regarding the User’s activity in the Service, including the IP address of the device used, the location data, the Internet identifier as well as all other information gathered while using cookies or other technologies of similar nature. Cookies or other similar technologies do not serve the purpose of User identification and the User’s identity is not determined while using such means. Cookie files as well as other similar technologies do not enable identification of a natural person when used on stand-alone basis. The information gathered by cookie files and other similar technologies may constitute personal data only when combined with other unique identifiers or other identification-enabling information.
2.3. Use of the Service is possible without the necessity of setting up a User account. In such a case the Service can be used without the need for providing personal data in the registration form. The data processed in such a case includes the information regarding use of the Service as such.
2.4. At the User’s consent, Trusted Partners who use cookie files or other similar technologies to collect and process personal data for the purpose of content personalization can have access to the information regarding use of the Service by the User.
2.5. The Service offers the possibility of use of social media portal functionalities, e.g. the possibility of commenting on articles or sharing them (Facebook). In such cases, at the User’s request, the Service will download the information necessary to enable such activities from a User’s social media portal account.
3. Cookies and similar technologies
3.1. Cookies or similar technologies are used in connection with use of the Service in order to assure access to the Service for the User, streamline the Service’s operation, as well as enable profiling and displaying of the content which matches the User’s needs.
3.2. Cookies are small text files which are saved on the end-user device (a computer, a mobile phone, a tablet, etc.) while the Service is being used. These files enable saving and storing the information which the Data Controller as well as other parties providing services (e.g. analytical and statistical data collection) to the Data Controller or to the Trusted Partners use for various purposes which can be divided into the categories that are described below.
3.3. The technologies which are similar to cookies, including Local Storage and Session Storage, are an area of the web browser memory where data is stored. Local Storage differs from cookies in that sense that the data stored therein is only available to a given web browser and cannot be read by a server. In the case of Local Storage the data is not deleted once the browser is closed. Session Storage is a counterpart of cookies, however bigger in size. The data is not sent together with every server query but only on request. In the case of Session Storage, the data is deleted once the session ends.
3.4. For simplicity, cookies and similar technologies will be hereafter jointly referred to as “the cookies.”
3.5. We use two types of cookies or similar technologies which are differentiated in terms of their lifecycle:
3.5.1. session cookies– these files are stored on a User’s device until the time a User logs off or leaves the Service;
3.5.2. persistent cookies – these files are stored on a User’s device until the time when deleted by a User, or until the time a cookie file expires after the lapse of the time indicated in the file’s specification.
3.6. The Data Controller, as well as other parties providing services to the Data Controller (e.g. analytical and statistical data collection), or the Trusted Partners use cookies for various purposes which can be divided into the following categories:
3.6.1. Mandatory cookies which are necessary to enable use of the Service:
a) cookies containing the data entered by a User (session ID) for the duration of the session (user input cookies);
b) cookies which are used for accessing the services which require authentication for the duration of a session (authentication cookies);
c) cookies used for assuring security, e.g. for detecting authentication-related fraud attempts (user centric security cookies);
d) session cookies used by multimedia players (e.g. flash cookies) for the duration of a session (multimedia player session cookies);
3.6.2. Functional cookies which facilitate use of the service:
a) persistent cookies used for User interface customization for the duration of a session, or for a slightly longer time (user interface customization cookies),
b) cookies used for webpage traffic monitoring, i.e. serving the purpose of data analytics – these are the files that are used for the purpose of analyzing of the way in which a User uses the Service in order to develop statistics and reports regarding functioning of the Service.
c) cookies used for logging in to the Service from social media portals.
3.6.3. Marketing cookies which enable delivery of marketing content – the Data Controller and the Data Controller’s Trusted Partners also use cookies for marketing purposes, including in connection with directing of behavioral ads to Users.
3.7. Use of cookies and the personal data collected while using the cookies for marketing purposes by Trusted Partners requires User consent. The consent can be withdrawn at any time.
3.8. A User can, at any time, change the settings related to cookies or similar technologies by modifying the privacy settings in the web browser or in the application, or by changing the settings of the User’s account in the Service, however such changes can result in inability to access some of the Service’s functions.
3.9. Change of privacy settings is possible by selecting a relevant option in the web browser’s or the application’s settings. In the case of the most popular web browsers, Users may manage the privacy settings, including the cookie files, on their own, especially by accepting cookies, changing cookie-related settings as well as blocking or deleting cookies. The method and scope of privacy setting changes depends on the type or version of the web browser or the application used. Detailed information regarding modification of privacy settings is available at the websites of respective providers:
in the Chrome browser
in the Firefox browser
in the Internet Explorer browser
in the Microsoft Edge browser
in the Opera browser
in the Safari browser
4. Purposes and legal basis of data processing in the Service
The Controller processes Users’ personal data for the following purposes:
4.1. ensuring access to the service – pursuant to Article 6, item 1 b of GDPR;
4.2. fulfillment of legal obligations – pursuant to Article 6, item 1 c of GDPR;
4.3. pursuit of the following legitimate interests of the Controller or of a third party – pursuant to Article 6, item 1 f of GDPR:
4.3.1. own marketing activities, including profiling, in particular by presenting behavioral advertising, displaying of marketing content to a User in the Service or sending, to specific Users, of notifications regarding offers or content of interest to them while using means of electronic communications, e-mail in particular, subject to a relevant consent having been expressed by a User, as well as all other marketing-related activities, e.g. satisfaction surveys;
4.3.2. fraud detection and elimination;
4.3.3. own, internal purposes associated with provision of services and conducting of business, including for evidence-related, analytical and statistical purposes.
4.4. User’s personal data will be processed for at the User’s consent for the marketing purposes pursued by Trusted Partners, including in particular for the purposes associated with presentation of behavioral advertisements – pursuant to Article 6, item 1 a of GDPR.
4.5. Pursuit of the above goals results in use of profiling by the Data Controller in some of the cases. This means that thanks to automatic data processing the Data Controller performs assessment of selected factors related to natural persons in order to analyze such persons’ behavior or create forward-looking forecasts. No essential decisions regarding the Users are made in an automated manner as a result of such analyses.
5. Personal data retention period
5.1. Personal data will be processed for the period: a) envisaged for the fulfillment of the obligations resulting from the provisions of the law concerning national defense, state security and public law and order, as well as tax and accounting regulations, b) for the period of limitation of claims and until the end of any civil, enforcement, administrative and criminal proceedings requiring personal data processing, and, in the case of the provided consent – until the purpose for which the consent was granted is achieved or until the consent is revoked, whichever comes earlier.
5.2. A User can delete the cookies from their device by themselves. To erase the cookies from the User’s device (a computer, a mobile phone, a tablet, etc. ), a User should delete the data from the cache as well as delete the cookies. Erasing the cache and the cookies should be done in the browser’s settings. The settings may differ depending on the browser used and its version. Erasing of the cookies will result in erasing of the Service’s settings.
6. User rights
6.1. A User is entitled to exercise the following rights in connection with the User’s personal data processing:
6.1.1. the right to have the data corrected – if any errors occurred during data collection or if the data has changed, then a User will have the right to provide the correct and valid data while the Data Controller will correct and update such data;
6.1.2. the right to access the data – a User can exercise the right if they wish to know what data is processed by us;
6.1.3. the right to have the data deleted, also known as “the right to be forgotten” – if a User concludes that the data is no longer necessary for the purposes for which it has been collected, the User will have the right to approach the Data Controller with a request for erasure of the data;
6.1.4. the right to restrict data processing – if a User has doubts as to whether the data is processed properly by the Data Controller, the User will have the right to file a request data processing that data processing be restricted;
6.1.5. the right to transfer the data – a User may obtain and transfer, from the Data Controller to another entity, the data which the User provided to the Data Controller;
6.1.6. the right to object to data processing, when done on the basis of the Data Controller’s or a third party’s legitimate interest, including profiling, due to the reasons related to specific circumstances, and the right to object to data processing for direct marketing purposes, including profiling,
6.1.7. the right to revoke the granted consent at any time – a User will have the right to revoke the granted consent to data processing at any time without indicating the reasons; revoking of consent does not operate retroactively, which means that data processing which took place up until the moment of revoking of consent remains fully valid and legitimate.
6.2. For the purpose of reviewing a request to exercise the above rights, the Data Controller will be authorized to verify the User’s identity, which will prevent disclosure of the information regarding the User to any unauthorized persons. As regards the Users who have not setup an account in the Service, the Data Controller will not be able to verify the User’s identity, since the processed data includes only the information regarding use of the Service, without including any information regarding the User’s identity.
6.3. A User can file a complaint regarding personal data processing with the supervisory authority who is responsible for the protection of personal data. The President of the Office of Personal Data Protection is the supervising authority in the Republic of Poland.
7. Data recipients and Trusted Partners
7.1. Users’ personal data can be transferred to the following categories of recipients: the parties who provide to the Data Controller the services which are required for the purpose of fulfillment of the goals of data processing, including providers of IT services, the entities providing technical, organizational and consulting support, other sub-contractors providing services in the field of customer care, billing, payment processing and marketing; integrators as well as parties providing additional services in the form of premium rate services, duly authorized entities, Polsat Plus Group companies.
7.2. At a User’s consent, access to the information regarding use of the Service can be provided to Trusted Partners who use cookie files and similar technologies to collect and process personal data for the purpose of personalization of content. The Trusted Partners, with whom the Data Administrator cooperates in connection with use by such partners of services and tools which enable them, among others, to perform personalization of the content and the services offered via the Service, include the parties who belong to the following categories of entities: advertisers, media houses, companies offering advertising campaign-management tools, as well as owners of Internet services, Google, Facebook and Gemius in particular. Trusted Partners are allowed, among others, to analyze, compile and combine the information from the Service with other information in their possession, e.g. the information regarding use of their services by the User or the User’s activity in other Internet services. The information regarding the principles of personal data processing and use of cookie files and other technologies by Trusted Partners is provided in the manner defined by such Trusted Partners, especially in the Trusted Partners’ documents which describe the rules of personal data processing and protection that they employ.
8. Transfer of data outside the EEA territory
Personal data may be transferred to the countries / international organizations located outside the European Economic Area if, based on the decision of the European Union, such countries / organizations are deemed as ensuring an adequate level of personal data protection, which is equivalent to the degree of protection valid on the territory of the European Economic Area, or provided that the appropriate safeguards are applied, which may consist in applying valid corporate rules, standard contractual clauses adopted by the European Commission, standard personal data protection clauses adopted by the President of the Polish Office of Personal Data Protection, or based on the contractual clauses authorized by the President of the Polish Office of Personal Data Protection, while the copies of such personal data may be obtained at the request submitted in the manner mentioned in item 10 below.
8a. Information connected with CJEU judgment in Schrems II case
In specific situations, some technical solutions, including the ones employed for the purpose indicated in item 2.5 of the present Policy document, can be provided by the parties registered outside the European Economic Area (EEA), including in the United States of America. This means that the Users’ personal data can be transferred to the countries where the providers’ registered offices are located, including also to the USA. Such partners include Google and Facebook who declare that they ensure adequate level of protection of the processed personal data by adopting and employing standard EU contractual clauses in lieu of the so-called Privacy Shield which was annulled by the ruling of the Court of Justice of the European Union (CJEU) dated 16 July 2020 regarding the Schrems II case (FB information, Google information). The types of the safeguards employed are analyzed from the point of view of the risks posed, subject to being modified if new legal instruments are adopted by the relevant EU bodies for the purpose of assuring the relevant degree of security of the personal data that is transferred outside the EEA territory.
9. Personal data security
9.1. The Data Controller carries out, on an on-going basis, risk analysis to assure that the personal data is processed in a secure manner which, above all, assures that access to the data is granted only to the duly authorized persons and only in the scope which is absolutely indispensable from the point of view of the tasks performed by such persons. The Data Controller takes care that the operations involving personal data be registered and carried out only by the duly authorized employees and associates.
9.2. The Data Controller takes all the necessary actions to make sure that the Data Controller’s subcontractors as well as other cooperating parties offer guarantee of employing the relevant safeguards whenever processing personal data at the Data Controller’s request.
10. Contact details
10.1. Requests, declarations and all correspondence regarding personal data shall be addressed by phone to the Customer Service Center (tel. 22 212 72 22 ), in writing to the following address: Cyfrowy Polsat S.A., ul. Łubinowa 4a, 03-878 Warszawa, by e-mail to: kontakt@cyfrowypolsat.pl, as well as in writing or orally for the record at points of sale (points of customer service).
10.2. The Data Controller has appointed the Data Protection Officer who can be contacted by e-mail at: iod@cyfrowypolsat.pl, or in writing at the above mentioned address of the controller, marked for the attention of „Inspektor ochrony danych” (Data Protection Officer).
11. Amendments to the privacy policy
11.1. The Privacy Policy is verified on an on-going basis and amended when necessary. The current version of the Privacy Policy was adopted on 19 May 2022 and has been in place since then.