GDPR

The Controller of your personal data is Polski Standard Płatności S.A., a company incorporated under the laws of Poland  and having its registered office in Warsaw (postal code: 00-718) at ul. Czerniakowska 87A, entered in the National Court Register by the District Court for the Capital City of Warsaw in Warsaw, XIII Economic Division of the National Court Register under entry no.: KRS 0001141221, tax identification (NIP): 5213664494, registered share capital PLN 151 263 000(hereinafter referred to as "PSP").

You can contact the PSP via email address: kontakt@blik.com or in writing (at the PSP registered office address). The PSP has appointed a Data Protection Officer (DPO) whom you can contact via email: iod@blik.com or in writing (at the PSP registered office address). You can contact the DPO on all matters concerning the processing of your personal data and the exercise of your rights in relation to data processing.

PSP processes your personal data for:

• Direct marketing of PSP's products and services after the BLIKOMANIA Lottery and information about promotions carried out jointly or separately with PSP's cooperating banks, clearing agents and merchants, including profiling in order to learn about your needs (Art. 6(1)(a) of the GDPR).

The legal basis for processing your personal data is:

• Consent - to carry out direct marketing of PSP's own products and services and to inform about promotions carried out jointly or separately with PSP's cooperating banks, clearing agents and merchants, including profiling in order to learn about your needs, after the BLIKOMANIA Lottery has ended.

If you have consented to the processing of your personal data for the purposes of direct marketing of PSP products and services, including profiling to learn about your needs after the BLIKOMANIA Lottery, PSP will store your data until you withdraw your consent.

PSP transfers your personal data to subcontractors who process personal data on behalf of PSP (such as IT service providers or marketing agencies) whereby such entities process your data on the basis of a contract with PSP and only in accordance with the instructions of PSP.

You have the right of access to your data and the right to request rectification, erasure or restriction of processing. You have the right of access to your data and the right to request rectification, erasure or restriction of processing.

In addition, to the extent that the processing is based on:

- Fulfilment of the legitimate interest of the PSP - you have the right to object to the processing of your personal data;

- Consent - you have the right to withdraw your consent. The withdrawal of consent does not affect the lawfulness of processing carried out prior to its withdrawal;

- Conclusion or performance of a contract, or consent - you have the right to data portability of your personal data, i.e. to receive your data from PSP in a structured, commonly used machine-readable format. You can send this data to another data controller.

Where provided by law, you have the right to object to processing for direct marketing and profiling purposes.

You also have the right to lodge a complaint with the data protection supervisory authority, which is the President of the Personal Data Protection Office.

The provision of data for marketing purposes is voluntary.

Personal data is profiled for direct marketing purposes. The purpose of these operations is to adapt the products or services offered by the Controller to your needs in the best possible way. Profiling does not affect your legal situation. On the basis of the processed data, the Controller's employees get to know your preferences, adapt the offer of its products or services to them and decide to undertake specific marketing activities or personalise marketing messages. Personalisation of marketing messages consists in particular in adjusting their content to the specific recipient, his/her interests, and preferences.

The Controller of your personal data is Polski Standard Płatności S.A. , a company incorporated under the laws of Poland  and having its registered office in Warsaw (postal code: 00-718) at ul. Czerniakowska 87A, entered in the National Court Register by the District Court for the Capital City of Warsaw in Warsaw, XIII Economic Division of the National Court Register under entry no.: KRS 0001141221, tax identification (NIP): 5213664494, registered share capital PLN 151 263 000 (hereinafter referred to as "PSP").

The Data Controller can be contacted via email address: kontakt@blik.com, or in writing (address of the Controller's registered office). The controller has appointed a Data Protection Officer, who can be contacted by email: iod@blik.com, or in writing (address of the controller's registered office). The Data Protection Officer can be contacted on all matters concerning the processing of personal data and the exercise of rights in relation to data processing.

The area covered by video surveillance includes: office entrance/exit, reception area, corridors, and stairwells.

CCTV includes the image of the person who is within the range of the marked cameras, excluding the processing of biometric data. Your data will be processed to:

• Ensure the safety of workers or the protection of property or
• Maintain the confidentiality of information, the disclosure of which could expose the Controller to harm.

The legal basis for the processing of your personal data is the legitimate interest of the Controller, i.e. the basis referred to in Article 6(1)(f) of Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter referred to as the "GDPR") related to the purposes indicated above.

1. The data are recorded on a data logger and are available for one (1) month. Only the image (no sound) is recorded and stored on the medium. After this period, the data are automatically overwritten. If the image recordings constitute evidence in proceedings under the law or the employer has become aware that they may constitute evidence in the proceedings, the deadline is extended until the proceedings have become final.
2. The Controller secures incidents recorded by video surveillance that threaten the safety, life and health of employees and people on the office premises, destruction and theft of property for evidentiary purposes: (a) at the request of third parties; (b) at the request of authorities conducting proceedings in accordance with the applicable legislation.
3. Secured video surveillance content is only made available to the authorities investigating the recorded event, e.g. the police, prosecutor's office, courts, which operate on the basis of separate regulations.

Your data may be transferred to entities processing personal data on behalf of the controller, e.g. to IT service providers - whereby such entities process data on the basis of a contract with the Controller and only in line with the Controller's instructions.

You have the right of access to your data and the right to request rectification, erasure, and/or restriction of processing.

To the extent that the processing of your personal data is based on the premise of a legitimate interest of the Controller, you have the right to object to the processing of your personal data due to your particular situation.

You also have the right to lodge a complaint with the supervisory authority in charge of personal data protection – President of the Office for Personal Data Protection.

To exercise these rights, please contact the Data Controller or the Data Protection Officer. The contact details have been specified above.

Your image is automatically recorded by video surveillance cameras while you are in the monitored area.

This document contains information about the principles of the Controller's processing of personal data and the related rights in connection with the implementation of the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in relation to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter referred to as the "GDPR").

The Data Controller is POLSKI STANDARD PŁATNOŚCI S.A. , a company incorporated under the laws of Poland  and having its registered office in Warsaw (postal code: 00-718) at ul. Czerniakowska 87A, entered in the National Court Register by the District Court for the Capital City of Warsaw in Warsaw, XIII Economic Division of the National Court Register under entry no.: KRS 0001141221, tax identification (NIP): 5213664494, registered share capital PLN 151 263 000

The Controller can be contacted at the address of the company's registered office indicated above or at the email address kontakt@blik.com. The Controller has appointed a Data Protection Officer. The Data Protection Officer can be contacted at the email address: iod@blik.com

Your personal data have been provided (made available) to us by your employer or the person (company) with whom you work (hereinafter referred to as the "PSP Contractor") in connection with the conclusion of a contract with us, as part of the process of offering products or services either by the PSP Contractors or by us, or any other mode of contracting between us, as well as in relation to the performance of an agreement concluded with us by the PSP Contractor (including as a subcontractor or collaborator), hereinafter collectively referred to as the "Contract".

The purpose of processing personal data is:

1) The conclusion and performance of the Contract to which the PSP Contractor is a party (Article 6(1)(f) of the GDPR);

2) The assertion or defence of claims arising from the Contract (Article 6(1)(f) of the GDPR);

3) Archiving (Article 6(1)(f) of the GDPR);

4) Compliance with legal obligations incumbent on the Controller, in particular those arising from tax and accounting legislation (Article 6(1)(c) of the GDPR).

The processing of the data includes personal data identifying the persons who represent the PSP Contractor (personal data of the PSP Contractor's representatives, including agents or members of the PSP Contractor's bodies (collectively, the "PSP Contractor's Representatives") and the identification and contact data of the PSP Contractor's designated contact persons, whose personal data the PSP Contractor has provided to the Controller (personal data of its employees, associates (collectively, the "PSP Contractor’s Personnel") and employees and associates of its subcontractors or collaborators (the "Personnel of other PSP Contractors") involved in the performance of the Contract with the Controller.

The provision of personal data is voluntary but necessary for the conclusion of the Contract and its execution, including contact between the PSP Contractor and the Controller.

The Controller processes your personal data obtained from your employer. If you have provided us with your data directly (e.g. data provided on forms or otherwise), the Controller in each case scrupulously verifies that there is a legal basis for processing your personal data.

Activities on personal data carried out on the basis of a legitimate interest of the Controller will be carried out until an effective objection is raised against the processing for these purposes; on grounds related to the particular situation of the data subject; against the processing of data concerning the data subject unless the Controller demonstrates the existence of compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or grounds for the establishment, assertion or defence of claims, or until the purpose of the processing has been fulfilled.

The processing of data for the purpose of fulfilling legal obligations will be carried out for the period indicated in the legal provisions imposing certain obligations on the Controller until such time as they are fulfilled.

The Controller will process the personal data for the purposes arising from the legitimate interests pursued by the Controller - on the basis of Article 6(1)(f) of the GDPR, which for the Controller are the purposes referred to above. In assessing whether the indicated purposes are legitimate the following elements are taken into account e.g.:

(a) Any relationship between the purposes for which the personal data were collected and the purposes of the intended further processing,

(b) The context in which the personal data were collected, in particular the relationship between the data subjects and the controller,

(c) The nature of the personal data,

(d) The possible consequences of the intended processing,

(e) The existence of adequate safeguards.

The personal data processed will not be profiled and no automated decisions will be made on the basis of the data.

Personal data may be disclosed to other entities (the so-called data recipients), i.e. entities cooperating with the Controller, in particular entities providing services to the Controller, including IT, postal or courier services, other entities, when it is necessary to achieve the purposes set out in the Contract, including entities to which the Controller has entrusted the processing of personal data by way of a contract, as well as persons who, under the authorisation of the Controller or the processing entity, may process personal data, e.g. employees and co-workers.

Personal data may be made available to public authorities and to entities performing public tasks or acting on behalf of public authorities, to the extent and for the purposes that are required by law. Personal data will not be transferred outside the EEA (European Union, Norway, Liechtenstein, and Iceland).

The individuals whose personal data are processed have the right to request access to the content of their personal data, rectification, erasure or restriction of processing, to obtain a copy of the data, to object to processing, as well as the right to lodge a complaint with the supervisory authority – the President of the Personal Data Protection Office.