PRIVACY POLICY
1. Definitions
1.1. Controller – Carrefour Polska Sp. z o.o., located in Warsaw, Targowa 72, 03-734, entered into the Register of Entrepreneurs kept by the District Court for the Capital City of Warsaw in Warsaw, XIII Commercial Division of the National Court Register under the National Court Register Number (KRS): 0000020710, Tax Identification Number (NIP): 9370008168, National Business Registry Number (REGON): 070569406, share capital amounting to 1,970,719,050 PLN.
1.2. Personal Data – any information relating to an identified or identifiable natural person through one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, including device IP address, location data, Internet identifier and information collected through cookies files or other similar technology.
1.3. Policy – this Privacy Policy.
1.4. GDPR – Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
1.5. Website – website kept by the Controller at the following address: serwiskorporacyjny.carrefour.pl.
1.6. User – any natural person visiting the Website or using one or several services or functionalities described in the Policy.
2. Data processing in connection with the use of the website
2.1. In connection with the User's use of the Website, the Controller collects data in the scope necessary to provide individual offered services, as well as information about the activity of the User on the Website. The detailed principles and purposes of personal data processing during the use of the Website by the User are described below.
3. Objectives and legal grounds for processing data on the Website
USE OF THE WEBSITE
3.1. Personal data of all people using the Website (including IP address or other identifiers and information collected via cookies files or other similar technologies) is processed by the Controller:
3.1.1. in order to provide services by electronic means in the scope of sharing with the User the content gathered on the Website - then the legal grounds for the processing is the necessity of processing to execute the agreement (Art. 6 section 1 subsection b of GDPR);
3.1.2. for analytical and statistical purposes - then the legal grounds for the processing is the legitimate interest of the Controller (art. 6 section 1 subsection f of GDPR) which consists in carrying out the analysis of the Users’ activity and their preferences in order to improve used functionalities and provided services;
3.1.3. in order to possibly determine and pursue claims or defence against them - legal grounds for processing is the legitimate interest of the Controller (art. 6 section 1 subsection f of GDPR) consisting in the protection of its rights;
3.1.4. for marketing purposes of the Controller and other entities, in particular related to the presentation of behavioural advertising - the principles of processing personal data for marketing purposes are described in section “MARKETING”.
3.2. User’s activity on the Website, including their personal data, is registers in system logs (a special computer program used for storing a chronological record containing information about events and activities related to the IT system used to provide services by the Controller). Information collected in logs is processed primarily for purposes related to the provision of services. Controller processes them also for technical and administrative purposes, in order to ensure security of the IT system and management of this system, as well as for analytical and statistical purposes - in this scope the legal grounds for processing is the legitimate interest of the Controller (art. 6 section 1 subsection f of GDPR).
FORMS OF CONTACT WITH THE CONTROLLER
3.3. Controller ensures the possibility of contact with it with the use of the following provided e-mail addresses, contact telephone numbers and indicated correspondence addresses, in order to handle the Customer’s inquiry. Using the specified forms of contact requires providing personal data necessary to contact the User and respond to the inquiry, the provision of which is required to receive and handle the inquiry. Failure to provide this data makes it impossible to provide service. Providing remaining data is voluntary.
3.4. Personal data is processed:
3.4.1. to identify the sender and to handle their inquiry sent to the shared e-mail address, transferred via contact telephone at the shared contact telephone number or by inquiry sent at correspondence address - legal basis for the processing is the necessity of processing for the purpose of the execution of the agreement for the provision of services (art. 6 section 1 subsection b of GDPR);
3.4.2. for analytical and statistical purposes - legal basis for the processing is the legitimate interest of the Controller (art. 6 section 1 subsection f of GDPR) which consists in keeping statistics of inquiries submitted by Users vie the Website in order to improve its functionality.
4. Marketing
4.1. Controller processes User's personal data in order to carry out marketing actions which can consist in:
4.1.1. displaying to the User marketing content that is not adapted to their preferences (contextual advertising);
4.1.2. displaying the User marketing content corresponding to their interests (behavioural advertising);
4.1.3. sending e-mail notifications about interesting offers or content, which in some cases contain commercial information (newsletter)
4.1.4. carrying out other types of activities related to the direct marketing of goods and services (sending commercial information by electronic means and telemarketing activities)
4.2. In order to perform marketing activities the Controller in some cases uses profiling. It means that thanks to the automating processing of data the Controller assesses selected factors concerning natural persons in order to analyse their behaviours or create prognosis for the future.
CONTEXTUAL ADVERTISING
4.3. Controller processes User’s personal data marketing purposes and in relation to targeting the User with contextual advertising (i.e. advertising not adapted to the User’s preferences). Processing personal data is then made in connection with the realisation of the legitimate interest of the Controller (art. 6 section 1 subsection f of GDPR).
BEHAVIOURAL ADVERTISING
4.4. Controller and its trusted partners process personal data of the Users, including personal data collected via cookies files and other similar technologies, for marketing purposes in connection with targeting the Users with behavioural advertising (i.e. Advertising adapted to the User's preferences). Personal data processing includes then also profiling of the Users. Using personal data collected via this technology for marketing purposes, in particular in the scope of promoting services and goods of third parties, requires the consent of the User. This consent can be withdrawn at any time.
DIRECT MARKETING
4.5. User's personal data can be also used by the Controller to send them through various channels marketing content, i.e. via traditional and electronic mail, via MMS/SMS or telephone. Such actions are taken by the Controller only in the case when the User gave consent to it and this consent can be withdrawn at any time.
5. Social media
5.1. Controller processes personal date of Users visiting the Controller’s profiles kept on social media (Facebook, YouTube, Instagram, Twitter). This data is processed only in connection with keeping the profile, including informing the users about the activity of the Controller and promoting different types of events, services and products. Legal grounds for processing this personal data by the Controller for this purpose is its legitimate interest (art. 6 section 1 letter f of GDPR) consisting in promoting its own brand.
6. Cookies and similar technology
6.1. Cookies are small text files installed on the device of the User browsing the Website. Cookies collect information facilitating the use of the website - e.g. by remembering visits of the User on the Website and activities performed by them.
“SERVICE” COOKIES
6.2. Controller uses the so-called service cookies primarily for the purpose of delivering to the User services provided via electronic means and improving the quality of these services. Therefore the Controller and other entities providing on its behalf analytical and statistical services use cookies files, storing information or getting access to the information already stored in the telecommunications terminal device of the User (computer, telephone, tablet etc.). Cookies files used to this end include:
6.2.1. session cookies of multimedia players (e.g. flash player cookies), for the time of the session (multimedia player session cookies);
6.2.2. cookies used to monitor traffic on the website, i.e. data analytics, including Google Analytics cookies (these are files used by Google in order to analyse the manner of using the Website by the User, to create statistics and reports concerning the functioning of the Website). Google does not use the collected data to identify the User and does not combine this information in order to allow identification. Detailed information about the scope and principles of collecting data in connection with this service can be found at: https://www.google.com/intl/pl/policies/privacy/partners.
6.2.3. cookies counted from GTM codes.
MARKETING COOKIES
6.3. Controller and its trusted partners use also cookies for marketing purposes, i.a. in connection with targeting the Users with behavioural advertising. For this purpose the Controller and its trusted partners store information or get access to the information already stored in the telecommunications terminal device of the User (computer, telephone, tablet etc.). Using cookies files and personal data collected via this technology for marketing purposes, in particular in the scope of promoting services and goods of third parties, requires the consent of the User. This consent can be withdrawn at any time.
7. Period of Processing Personal Data
7.1. The period of processing data by the Controller depends on the type of service provided and the purpose of processing. As a rule, data is processed for the duration of the service, until the consent is withdrawn or there is submitted n effective opposition against data processing in the cases when the legal grounds for data processing is the Controller’s legitimate interest.
7.2. The data processing period can be extended in the case when processing is necessary to determine and pursue possible claims or defence against claims, and after this time - only in the case and in the scope in which it will be required by the provisions of law. After the period of processing ends, data is irreversibly deleted or anonymised.
8. User’s rights
8.1. User has the right to: have access to data and to demand data rectification, erasing, restriction of processing, right to data portability and right to oppose against data processing, as well as the right submit a complaint to the supervisory authority responsible for the personal data protection.
8.2. In the scope in which the User’s data is processed based on the consent, this consent can be withdrawn at any time by contacting the Controller.
8.3. User has the right to oppose against data processing for marketing purposes if the processing is carried out in connection with the legitimate interest of the Controller, and - for the reasons related to the particular situation of the User - in other cases when the legal grounds for data processing is the legitimate interest of the Controller (e.g. in relation to the performance of analytical and statistical objectives).
8.4. You can find more information about rights resulting from GDPR here.
9. Data recipient
9.1. In connection with the provision of services, personal data will be disclosed to the external entities, including in particular providers responsible for handling IT systems, marketing agencies (in the scope of marketing services) and to the entities associated with the Controller, including companies from its capital group.
9.2. In the case of obtaining the User’s consent, their data can be shared with other entities for their own purposes, including marketing purposes.
9.3. Controller reserves the right to disclose selected information concerning a User to the competent authorities or third parties that request providing such information, based on an appropriate legal grounds and in accordance with the applicable provisions of law.
10. Transferring data outside EEA
10.1. The level of protection of personal data outside the European Economic Area (EEA) differs from the one provided by European law. For this reason the Controller transfers personal data outside EEA only when it is necessary, and ensuring at the same time the appropriate level of protection, primarily through:
10.1.1. cooperation with entities processing personal data in countries, in relation to which an appropriate decision of the European Commission was issued;
10.1.2. use of standard contractual clauses issued by the European Commission;
10.1.3. use of binding corporate rules approved by the competent supervisory authority;
10.2. Controller always informs about the intention of transferring personal data outside EEA at the collection stage.
11. Security of Personal Data
11.1. Controller conducts risk analysis on an ongoing basis in order to ensure that personal data is processed by it in a secure manner - ensuring primarily that the access to personal data is granted only to authorised people and only in the scope necessary to perform tasks. Controller makes sure that all operations on personal data are registered and made only by authorised employees and collaborators.
11.2. Controller take all necessary actions so that also its contractors and other collaborating entities provide guarantee of using appropriate security measures in any aces of processing personal data at the request of the Controller.
12. Contact details
12.1. Contact with the Controller is possible via e-mail address at kontakt@carrefour.pl, telephone number at +48 801 200 000 or in writing at the address of controller’s registered office.
12.2. Controller appointed the Inspector for the Protection of Personal Data who you can contact via e-mail at iod@carrefour.pl in all cases related to the processing of personal data.
13. Amendments to the Privacy Policy
13.1. The policy is verified on an ongoing basis and updated if necessary. The current version of the Policy was adopted on 25 May 2018 and is applicable since this date.