Personal Data Protection Policy (GDPR)
DRIVE ONE SP. Z O.O.
§1. General Provisions
This Personal Data Protection Policy sets out the rules for the processing of personal data by Drive One spółka z ograniczoną odpowiedzialnością, with its registered office in Sękocin Stary at ul. Graniczna 15, entered into the register of entrepreneurs maintained by the District Court for the Capital City of Warsaw in Warsaw, 14th Commercial Division of the National Court Register, under KRS number 0000766288, NIP 7010902908, and REGON 382368043, covering the servicing of individual and business clients, the sale of services through an online booking system, marketing activities, and video surveillance.
The purpose of this document is to ensure compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR), as well as to demonstrate such compliance through the implementation of appropriate organizational and technical measures.
This Policy applies to all employees, associates, and entities processing data on behalf of the Controller.
§2. Data Controller
The controller of personal data is Drive One spółka z ograniczoną odpowiedzialnością, with its registered office in Sękocin Stary at ul. Graniczna 15, entered into the register of entrepreneurs maintained by the District Court for the Capital City of Warsaw in Warsaw, 14th Commercial Division of the National Court Register, under KRS number 0000766288, NIP 7010902908, and REGON 382368043.
The Controller is responsible for the lawful processing of data, data security, and the exercise of the rights of data subjects.
§3. Scope and Method of Data Collection
Personal data is collected directly from clients, in particular through registration forms, the online booking system, telephone or in-person contact, as well as automatically while using the website.
The Controller processes data such as: first and last name, email address, telephone number, transaction data, booking history, IP address, and data collected through cookies.
Data is collected only to the extent necessary to achieve the specified purposes.
As a rule, providing personal data is voluntary; however, in some cases it may be necessary to conclude a contract or use the Controller’s services, in particular for:
making a booking,
purchasing a ticket,
participating in an event.
Failure to provide data may make it impossible to perform the service.
§4. Purposes and Legal Bases for Processing
Personal data is processed for the purpose of providing services, handling bookings, processing payments, contacting clients, conducting marketing activities (with consent), and ensuring security.
The legal basis for data processing is, in particular:
performance of a contract,
a legal obligation,
the legitimate interest of the Controller,
consent of the data subject.
§5. Automatically Collected Data and Cookies
When using the website, technical data is collected automatically, including IP address, device information, browser information, and user activity.
The Controller uses cookies to ensure the proper functioning of the website, analyze traffic, and conduct marketing activities.
The user may manage cookies through browser settings or the consent mechanism.
§6. Profiling and Marketing
The Controller may use personal data for marketing activities, including sending commercial information by electronic means or by telephone, only after obtaining the prior consent of the data subject.
To a limited extent, the Controller may use profiling, consisting of analyzing user preferences in order to tailor offers. Profiling does not produce legal effects and does not significantly affect the situation of the data subject.
§7. Data Retention Period
Data is retained for the period necessary to achieve the purposes of processing, including the term of the contract and the period required by law.
Marketing data is retained until consent is withdrawn, and CCTV recordings are retained for no longer than 30 days.
§8. Data Recipients and Processing Entrustment
Data may be transferred to entities cooperating with the Controller, such as booking system providers, payment operators, IT companies, and accounting firms.
Any transfer of data takes place on the basis of a data processing agreement.
§9. Transfers Outside the EEA
If IT tools provided by entities located outside the European Economic Area are used, the Controller ensures that data transfers are carried out in accordance with applicable law, in particular by applying appropriate safeguards such as standard contractual clauses.
§10. Video Surveillance
Video surveillance may be operated on the premises for the purpose of ensuring the safety of persons and property. The monitored area is properly marked, and access to recordings is restricted to authorized persons.
§11. Data Security
The Controller applies technical and organizational measures to ensure data security, including:
encryption of data transmission (SSL),
access control to IT systems,
regular security testing,
limiting access to data exclusively to authorized persons,
recording data operations (system logs),
backup and data recovery procedures.
§12. Rights of Data Subjects
Data subjects have the right to access their data, rectify it, erase it, restrict processing, transfer data, and object to processing.
The Controller ensures the possibility of contact regarding personal data protection matters via a dedicated email address or other indicated communication channels.
Each request is reviewed without undue delay, and no later than within the time limits provided by law.
§13. Breach Procedure
In the event of a data breach, the Controller takes actions including incident identification, risk analysis, documentation, and, where necessary, notification to the supervisory authority.
§14. Risk Analysis and Audit
The Controller regularly conducts risk analyses and internal audits in order to verify the effectiveness of the implemented measures.
§15. Employee Obligations
Employees are required to comply with data protection rules, use only authorized systems, secure access to data, and report any incidents.
§16. Final Provisions
This Policy is subject to regular updates and constitutes an integral part of the information security management system within the company.
If you want, I can also turn this into a more formal legal English version suitable for publication on a company website.