Polski
English
Deutsch
Español
УкраїнськаWRP SYSTEM PRIVACY POLICY
Privacy Policy for the Warszawski Rower Publiczny System (WRP System) is targeted at providing users of the WRP System with information required by Art. 13 and 14 of the Regulation of EU 2016/679 from 27 April 2016 (general data protection regulation hereinafter referred to as GDPR) pursuant to the processing of their data under the WRP System by the following Co-Controllers: Zarząd Dróg Miejskich with its registered seat in Warsaw and NEXTBIKE GZM Sp. z o.o. with its registered seat in Warsaw.
I. Personal Data Controller
With respect of your personal data, hereinafter referred to as „Personal Data”, two specified-below data
Co-Controllers appear who jointly decide about the goals and methods of personal data processing.
Co-controllers, as specified in the preceding sentence, are:
1. Zarząd Dróg Miejskich (ZDM), ul. Chmielna 120, 00- 801 Warszawa, tel. 22-55-89-100;
2. NEXTBIKE GZM Sp. z o.o. with registered seat in Warsaw at: ul. Przasnyska 6b, 01-756 Warszawa
II. Objective of personal data processing
The objective of data processing is the execution of actions under Common Processing Actions. Data are processed for the purposes related to the provision of services available as part of the Warszawski Rower Publiczny system for the benefit of WRP Clients resulting from the execution of Agreement no. ZDM/UM/DZP/19/PN/3/2 dated 22 June 2022.
III. Legal basis for personal data processing
Legal basis for data processing under Common Processing Actions towards the users of the WRP System shall be
1. Art. 6 par. 1 letter b of GDPR:
a) in the scope of conclusion and execution of agreement concluded as a consequence of acceptance of the
Warszawski Rower Publiczny System Terms of Service;
2. Art. 6 par. 1 letter c of GDPR:
a) in the scope of actions related to the issuance of VAT invoices;
b) in the scope of duties related to the conduct of financial accounting and provision of archiving;
3. Art. 6 par. 1 letter e of GDPR:
a) in the scope of tasks conducted for the public good, in particular, the realization of goals related to the
functioning of WRP;
4. Art. 6 par. 1 letter f of GDPR:
a) in the scope of establishing, pursuing and protecting against claims;
b) in the scope of protecting justified interest, i.e. securing property of each of the Co-Controllers,
including in particular stations and bikes; in the scope of servicing demands or granting replies to enquiries
submitted by means of the contact form
c) monitoring and improving the quality of services, including customer service.
Establishing, pursuing and protecting against claims, ensuring safety of property, ensuring contact with respect
to matters related to the WRP system functioning constitutes a legally justified interest of Co-Controllers.
IV. Personal data recipients
Access to Personal Data may be granted to the following data recipients:
1. service providers who obtained or were entrusted with personal data by way of an agreement for the purposes
of executing services provided for the benefit of the Co-Controller in the scope necessary for the correct
execution of such services, including in particular suppliers of IT services, payment operators (for the
purposes of conducting payments in the WRP system), consulting firms and legal firms (for the purposes of
conducting civil legal proceedings, penal proceedings towards WRP Clients who used the WRP System in breach of
the Terms of Service), debt-recovery firms specified in the provisions of law (recovery of unsettled financial
receivables for the use or improper use of the WRP System),
2. entities authorized to obtain Personal Data on the basis of the provisions of law.
V. Period of storing personal data
Personal Data shall be stored by the Co-Controller, that is ZDM, for the period compliant with internally binding
office instructions or the generally binding regulations concerning accounting and document archiving, i.e. for
the period of 5 years.
In case of Personal Data processed by the Co-Controller, i.e. NEXTBIKE GZM sp. z o.o., the period of processing
after completion of use of data from the WRP system by the given entity may each time be extended by the period
of maturity of claims should Personal Data processing turn out to be necessary in order to establish or pursue
potential claims or protect the Co-Controller against such claims or by a period stemming from the provisions of
law, including in particular the provisions on accounting.
VI. Principles of personal data collecting
Submission of Personal Data by a person who is their subject is voluntary. Failure to submit data shall result in lack of possibility of agreement execution.
VII. Rights related to the processing of personal data
The person who is the data subject may exercise the following rights with respect of each of the
Co-Controllers:
1. the right to demand access to their Personal Data and to amend them;
2. the right to limit their Personal Data processing in situations and according to principles specified in Art.
18 of GDPR or to delete them in accordance with Art. 17 of GDPR (“Right to be forgotten”);
3. the right to submit an objection, at any point in time, towards the processing of their Personal Data, as
specified in Art. 21 par. 1 of GDPR due to causes related to a specific situation, as specified in Art. 21 par.
1 of GDPR;
In case of matters related to Personal Data processing as well as exercising the rights to which the parties who
are such data subjects are entitled one may contact Co-Controllers through directing the correspondence to the
following address:
1. Zarząd Dróg Miejskich ul. Chmielna 120, 00- 801 Warszawa, or
2. NEXTBIKE GZM Sp. z o.o. with registered seat in Warsaw at: ul. Przasnyska 6b, 01-756 Warszawa.
Zarząd Dróg Miejskich designated a data protection inspector who may be contacted by means of an email address:
[email protected]
NEXTBIKE GZM Sp. z o.o. with registered seat in Warsaw at ul. Przasnyska 6b, 01-756 Warszawa designated IOD who
may be contacted at the following email address: [email protected]
Furthermore, the person who is the personal data subject shall be entitled to submit a complaint against their
personal data processing by the Co-Controllers to the Chairman of the Office of Personal Data Protection
(address at ul. Stawki 2, 00-193 Warszawa).
VIII. AUTOMATED DECISION MAKING
Your Personal Data shall not be used for the purpose of automated decision making or profiling.
IX. TRANSFERRING PERSONAL DATA TO THIRD COUNTRIES
Personal Data are not transferred outside of the EEA territory.
X. COOKIES FILES
1. Cookies files are used in the framework of the WRP System.
2. In simple terms, cookies files are minor text files which are saved on your computer or smartphone in the
course of displaying our website or using our application. There are various types of cookies files.
3. Cookies files which are necessary in order to use our application and our website service the purpose, among
others, of remembering preferences selected by you and monitoring the status of logging in. These cookies files
are applied by default, thus, we save them on your computer or smartphone during your stay on our website (in
accordance with Art. 173 par. 3 of the Act on Telecommunication Law). We do not apply other cookies files apart
from those that are necessary.
4. The following cookies files are used in the framework of the WRP System:
| Name | Goal | Period of storing |
|---|---|---|
| qtrans_front_language | Tracking down the selected interface language | Duration of user session |
| nextbike-react | Information concerning user session (encrypted) | 14 days |
| thirdparty | Checking if the browser services cookies 3rd party (for the purpose of logging in through iframe). | Duration of user session |
Necessary cookies files - they ensure correct functioning of our website and its basic functions. Without them you will not be able to correctly use our online services. These cookies files are exempt from the obligation of obtaining your consent (Art. 173 par. 3 of the Act on Telecommunication Law).
XI. PRIMARY CONTENT OF ARRANGEMENTS AGREED BY CO-CONTROLLERS
| Entity | Activity |
|---|---|
| Each of the Co-Controllers | Ensuring safety of Personal Data processing through implementing relevant technical and organizational means adequate for the given type of Personal Data and the risk of breaching the rights of persons who are such data subjects. |
| Each of the Co-Controllers | Information obligation specified in Art. 13 and 14 of GDPR shall be realized by means of provisions of the WRP System Privacy Policy. |
| Each of the Co-Controllers | Completion of the risk analysis adequately to actions which concern the area of operations of a given Co-Controller. |
| Co-Controller whose actions or omissions are covered by a given enquiry | Granting replies to enquiries of a person who is the data subject (it concerns in particular those enquiries and declarations in the scope of the right of information and transparent communication, access to Personal Data, amending, removing, limiting the processing, transfer of Personal Data, objection against the processing of Personal Data), the Con-Controller whose actions or omissions refer to the given enquiry shall be the relevant one. |
| Co-Controller the action or omission of whose resulted in the given breach | Fulfilment by Co-Controllers of obligations in the scope of managing breaches of Personal Data protection and their submission to the supervisory body or to a person who is such data subject. |
| Each of the Co-Controllers | Fulfilment by Co-Controllers of obligations in the scope of managing breaches of Personal Data protection and their submission to the supervisory body or to a person who is such data subject. |
| Each of the Co-Controllers | Each Co-Controller is obliged to maintain a register of processing actions by itself as specified in Art. 30 § 1 of GDPR. |
| Each Co-Controller (everyone by itself) | Due to the fact of using geolocalization data prior to commencing the processing an assessment shall be exercised of the effects of planned operations related to the processing for the protection of Personal Data (DPIA). |
| Each of the Co-Controllers | Prior to commencing the Processing conducting of the assessment of effects of planned processing operations for the protection of personal data and is obliged to fulfil the obligations specified in Art. 35-36 of GDPR. |