← Back to Registration

Privacy Policy

PRIVACY POLICY OF THE WEBSITE www.pl-us.pl

 

§ 1 GENERAL PROVISIONS

This Privacy Policy, hereinafter referred to as the “Policy”, sets out the rules for processing personal data of Users of the website www.pl-us.pl, hereinafter referred to as the “Website”, operated by Telewizja Republika S.A., based in Warsaw, ul. Pawia 55, 01-030 Warsaw, registered in the KRS under number 0000446368, REGON: 146432210, NIP: 1080014156, hereinafter referred to as the “Administrator”.

The Administrator processes personal data in accordance with applicable law, including:
 a) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR),
 b) Act of 10 May 2018 on the protection of personal data,
 c) Act of 18 July 2002 on the provision of electronic services,
 d) Act of 16 July 2004 Telecommunications Law.

Using the Website means acceptance of the rules set out in this Policy.

The Administrator makes every effort to ensure that the processing of personal data is carried out in accordance with the principles of legality, reliability, transparency, and security.

§ 2 RULES FOR PROCESSING PERSONAL DATA

1. Purposes of personal data processing
    The Administrator processes Users’ personal data in accordance with the law and the highest standards of data protection, for the following purposes:

a) Contract performance and service provision

• Data is processed to perform contracts concluded with Users, in particular to enable registration for events, process payments, fulfill orders, and ensure smooth participation of Users in events organized by the Administrator.

b) Fulfillment of legal obligations

• The Administrator processes data as required by law, including tax, accounting, and business regulations, e.g. for:
  • keeping accounting and tax records,
  • preparing tax returns and other required reports,
  • fulfilling reporting obligations to public authorities.

c) Ensuring security

• Data is processed to protect the Website, its technical infrastructure, and Users from unauthorized actions, including:
  • detecting and preventing abuse,
  • monitoring IT infrastructure security,
  • preventing threats related to cyberattacks and unauthorized access.

d) Marketing and promotion

• Data processing for marketing purposes is carried out only with the User’s consent, in particular for:
  • sending promotional materials, including newsletters,
  • sending information about products, services, and organized events,
  • conducting advertising campaigns using marketing tools.

e) Analysis and optimization

• Data is used to analyze the functioning of the Website and its optimization, including:
  • statistical analysis of User behavior patterns,
  • using analytical tools (e.g. Cloudflare) to improve service quality,
  • monitoring and improving business processes based on analytical data.
1. Scope of processed personal data
    The Administrator processes Users’ personal data in accordance with the principle of minimization, processing only data necessary to achieve the purposes specified above:

a) Identification data

• First name, last name, and possibly other data enabling unambiguous identification of the User, if required for the purposes of processing.

b) Contact data

2. Email address, phone number, and, in justified cases, correspondence or residential address, depending on the type of services provided.

d) Technical data

• Data regarding the use of the Website, such as:
  • IP address,
  • device and browser information,
  • information about User activity on the Website, including system logs and data obtained via cookies or similar technologies.

e) Image

2. Data related to the User’s image, if consent is given for its recording, e.g. during events organized by the Administrator, for archival, promotional, or documentation purposes.

 

Legal bases for personal data processing
 The Administrator processes Users’ personal data based on applicable law, in particular in accordance with:

Art. 6(1)(a) GDPR – where the User has given consent, e.g. for marketing purposes,

Art. 6(1)(b) GDPR – when processing is necessary for the performance of a contract or pre-contractual actions,

Art. 6(1)(c) GDPR – where processing is required by law,

Art. 6(1)(f) GDPR – when processing is necessary for the legitimate interests of the Administrator, such as ensuring Website security, data analysis, or defense against claims.

Data retention period
 Personal data is stored for the period necessary to achieve the purposes of processing, in particular:

• for data processed under a contract – for the duration of the contract and the limitation period for claims arising from it,
• for data processed under a legal obligation – for the period required by law,
• for data processed based on consent – until the User withdraws consent,
• for data processed based on the Administrator’s legitimate interest – until an effective objection is raised or the interest ceases.

Personal data protection principles
 The Administrator provides appropriate technical and organizational measures to ensure that personal data processing complies with GDPR and guarantees confidentiality, integrity, and availability. In particular, the Administrator undertakes actions in the field of:

• encryption of sensitive data,
• regular review of security policies,
• staff training,
• minimizing the scope of processed data and restricting access only to authorized persons.

§ 3 DISCLOSURE OF PERSONAL DATA

Scope and principles of personal data disclosure
 The Administrator may disclose Users’ personal data only to the extent necessary to achieve the specified processing purposes, in accordance with the law, including GDPR. Any data transfer is carried out in a manner that secures the rights and freedoms of Users and in accordance with the principle of minimization. Data may be disclosed to the following categories of recipients:

a) Payment service providers

1. Users’ personal data is disclosed to payment service providers, such as Stripe, Inc., to process payments for services provided by the Administrator or for participation in events. Only information necessary for financial transactions is transferred, such as contact details, transaction amounts, and bank account details.

b) Technical entities servicing the Website

1. The Administrator cooperates with technical service providers, including Cloudflare, Inc., to ensure Website security, improve performance, and protect against cyber threats. Data transferred to these entities includes technical information such as IP addresses, server logs, browser data, and other information necessary to provide services.

c) Organizational partners

1. In the case of event organization, personal data may be transferred to entities supporting the implementation of these events, such as technical partners, venue operators, logistics companies, or marketing agencies. Data is transferred only to the extent necessary for event organization and service, including participant registration, participation handling, and promotional activities if the User has consented to processing for marketing purposes.

d) Public authorities

1. Personal data may be disclosed to public authorities, such as courts, law enforcement agencies, or state administration bodies, only to the extent required by law. Data transfer is carried out in particular to fulfill the Administrator’s legal obligations, such as keeping accounting records, reporting suspected crimes, or complying with court orders.
2. Transfer of data outside the European Economic Area (EEA)
   a) Principles of data transfer to third countries
3. Personal data may be transferred outside the EEA only to entities providing adequate safeguards in accordance with GDPR, in particular based on:
4. European Commission decisions recognizing a country as providing an adequate level of personal data protection,
5. Standard Contractual Clauses (SCC), which ensure an adequate level of data protection under Art. 46 GDPR,
6. Binding Corporate Rules (BCR), approved under Art. 47 GDPR,
7. Exceptions specified in Art. 49 GDPR, such as the User’s explicit consent to such data transfer.

b) Examples of data transfer outside the EEA

2. Cooperation with entities such as Stripe, Inc. or Cloudflare, Inc. may involve the transfer of personal data to the United States (USA). In such cases, the Administrator uses standard contractual clauses approved by the European Commission or other data protection measures required by GDPR to ensure an adequate level of personal data security.
3. Obligations of data recipients
    The Administrator requires all data recipients, both within the EEA and outside it, to apply appropriate technical and organizational measures to protect transferred personal data and comply with GDPR. The Administrator ensures that data transfer is carried out only on the basis of data processing agreements (in accordance with Art. 28 GDPR), which regulate the scope, purposes, and principles of data processing in detail.
4. Disclosure of data based on consent
    If the disclosure of personal data is not required by law, contract, or the Administrator’s legitimate interests, it is carried out only with the User’s explicit consent. The User has the right to withdraw such consent at any time, without affecting the lawfulness of processing carried out before withdrawal.
5. Prohibition of further data disclosure
    All entities to whom Users’ personal data is disclosed are obliged to use it only for the purposes for which it was provided. The Administrator ensures that no personal data is disclosed to third parties for marketing purposes without the User’s explicit consent.
6. Monitoring and reporting data transfers
    The Administrator keeps records of all cases of personal data transfer, including transfers to third countries, in accordance with the requirements of Art. 30 GDPR. This documentation includes information on the purpose of the transfer, data recipients, and safeguards used, ensuring transparency of data processing and enabling verification of compliance with legal requirements.

§ 4 USE OF CLOUDFLARE

Scope of cooperation with Cloudflare, Inc.
 The Website uses services provided by Cloudflare, Inc., located at 101 Townsend St., San Francisco, CA 94107, USA (hereinafter: “Cloudflare”), to ensure optimal functioning and security of the Website. Cloudflare acts as a data processor on behalf of the Administrator, in accordance with GDPR requirements, based on appropriate data processing agreements.

Purposes of data processing by Cloudflare
 Cloudflare processes Users’ personal data for the following purposes:
a) Protecting the Website against cyber threats

Identifying and blocking potentially malicious network traffic, such as DDoS attacks, hacking attempts, or other activities that may disrupt the Website’s operation.
b) Ensuring fast and secure website loading

Using a global content delivery network (CDN) to reduce page load times, minimize latency, and ensure uninterrupted access to the Website, even during high traffic.
c) Collecting analytical and diagnostic data

Processing technical data, such as IP addresses, browser and device information, server logs, and traffic patterns, to monitor and optimize Website performance and detect anomalies.

Scope of data processed by Cloudflare
 As part of its services, Cloudflare may process the following categories of data:
 a) IP addresses of Website visitors;
 b) Technical details of browsers and operating systems used;
 c) Data on Website activity, including access logs, visit times, and browsing patterns;
 d) Network traffic data, such as HTTP headers, URLs, server response statuses.

Legal basis for data processing by Cloudflare
 The use of Cloudflare services and personal data processing is based on the following legal grounds:
a) Art. 6(1)(f) GDPR – the Administrator’s legitimate interest in ensuring security, reliability, and optimization of the Website;
b) Art. 6(1)(a) GDPR – User consent, if required, e.g. for analysis and reporting of website traffic using advanced Cloudflare features.

Transfer of data outside the European Economic Area (EEA)
As part of cooperation with Cloudflare, Users’ data may be transferred outside the EEA, in particular to the United States, where Cloudflare’s servers are located. To ensure an adequate level of data protection, the Administrator has concluded agreements with Cloudflare based on Standard Contractual Clauses (SCC) approved by the European Commission, in accordance with Art. 46 GDPR.

Data protection measures used by Cloudflare
 Cloudflare implements advanced technical and organizational measures to protect Users’ data, including:
 a) Data encryption during transmission (SSL/TLS);
 b) Data segmentation to restrict access only to authorized entities;
 c) Real-time traffic monitoring and automatic anomaly detection;
 d) Compliance certifications with international data protection standards, such as ISO 27001.

Access to detailed information
 Users can obtain detailed information about Cloudflare’s data protection principles and personal data processing in the Cloudflare Privacy Policy, available at: https://www.cloudflare.com/privacypolicy/.

Users’ rights
 Users have the right to:
 a) Information about the processing of their data by Cloudflare;
 b) Object to data processing based on legitimate interest;
 c) Withdraw consent to data processing, if it was the legal basis for processing;
 d) Request deletion, restriction of processing, or data transfer in accordance with GDPR.

Contact regarding data protection
 If you have questions about data processing by Cloudflare, Users can contact the Administrator using the contact details provided in this Privacy Policy or Cloudflare using the information available on their website.

§ 5 COOKIE POLICY

Use of cookies
 The Website uses cookies, which are small text files stored on the User’s device to:
a) Ensure proper functioning of the Website

Guaranteeing correct operation of technical functions and basic Website services, such as navigation or optimal content display.
b) Personalization of content and User experience

Adapting Website content to individual User preferences (e.g. language selection, page appearance settings).
c) Analysis of traffic and User behavior on the Website

Collecting anonymous statistical data about Website usage, such as number of visits, traffic sources, or navigation methods, to improve functionality.

Types of cookies used
a) Necessary

Cookies enabling the use of basic Website functions, such as navigation or security. They are required for the proper functioning of the Website and cannot be disabled.
b) Functional

Cookies remembering User preferences (e.g. language settings, selected regions), which improve the comfort of using the Website.
c) Analytical

Cookies used to collect data on how the Website is used, such as visited pages, time spent on the site, and traffic sources. This data is used only for statistical purposes and to improve Website functionality and content.

Cookie retention period
a) Session cookies

Stored on the User’s device until the browser session ends and deleted after closing the browser.
b) Persistent cookies

Remain stored on the User’s device for a specified period or until manually deleted by the User.

User management of cookies
 The User has the right to manage cookies according to their preferences, including deleting or blocking them. This can be done via browser settings. Detailed instructions for popular browsers are below:

Google Chrome: https://support.google.com/chrome/answer/95647?hl=en

Mozilla Firefox: https://support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer

Safari: https://support.apple.com/en-us/guide/safari/sfri11471/mac
 The User should remember that restricting the use of cookies may affect the functionality of the Website, including access to some parts and services.

Third-party cookies
 The Website may use cookies provided by third parties, such as:
a) Google Analytics – to analyze traffic and User behavior on the Website, in accordance with Google’s Privacy Policy: https://policies.google.com/privacy
b) Cloudflare – to protect the Website against cyber threats and speed up its operation, in accordance with Cloudflare’s Privacy Policy: https://www.cloudflare.com/privacypolicy/

Legal basis for processing data from cookies
 a) For necessary cookies – processing is based on the Administrator’s legitimate interest, in accordance with Art. 6(1)(f) GDPR.
 b) For other cookies (functional, analytical) – processing is carried out only with the User’s consent, in accordance with Art. 6(1)(a) GDPR.

Contact regarding cookies
 If you have questions about the cookie policy, Users can contact the Administrator using the contact details provided in the Privacy Policy.

§ 6 DATA RETENTION PERIOD

General principles for personal data retention
 The Administrator undertakes to store Users’ personal data only for the period necessary to achieve the purposes of processing, in accordance with applicable law, contracts concluded with Users, and data protection guidelines. Retention periods are determined to minimize data processing and ensure compliance with data protection principles under GDPR.

Retention periods depending on the purpose of data processing
a) Data processed for contract performance or service provision

• Stored for the duration of the contract or service provision and for the period necessary to fulfill obligations arising from the contract, including any claims related to its performance (in accordance with Art. 6(1)(b) GDPR).
  b) Data processed to fulfill legal obligations
• Data is stored for the period required by law, especially for accounting, tax, or archival documentation. For example, accounting documentation is stored for 5 years from the end of the tax year in which the tax obligation arose (in accordance with Art. 6(1)(c) GDPR).
  c) Data processed based on User consent
• Stored until the User withdraws consent, unless the purpose for which consent was given ceases earlier (in accordance with Art. 6(1)(a) GDPR). Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
  d) Data processed based on the Administrator’s legitimate interest
• Stored for the period necessary to achieve this interest, especially until the limitation period for claims under civil law (in accordance with Art. 6(1)(f) GDPR).

Retention periods resulting from specific regulations
 a) Accounting, tax, and commercial documents – stored for periods resulting from applicable regulations, such as the Accounting Act and tax regulations (e.g. 5-year retention period for tax documentation).
 b) Documents related to legal claims – stored for the limitation period for claims, which may range from 3 to 10 years, depending on the nature of the claim.

Data deletion after the retention period
 After the above periods, personal data is permanently deleted, unless further retention is required to fulfill legal obligations, protect the Administrator’s interests, or based on separate User consent. Data is deleted in a way that prevents its recovery and unauthorized access.

Monitoring compliance with retention periods
 The Administrator implements appropriate procedures and control mechanisms to monitor and ensure compliance with data retention periods. Regular data reviews allow for the elimination of unnecessary information and minimize the risk of non-compliance with data protection regulations.

User rights regarding data retention
 The User has the right to obtain information about the retention period of their personal data or the criteria used to determine it. If you have questions about data retention, Users can contact the Administrator as indicated in § 1 of the Privacy Policy.

§ 7 USER RIGHTS

1. Scope of rights
    Users whose personal data is processed by the Administrator have the following rights under GDPR:
   a) Right of access to personal data
2. The User has the right to obtain confirmation whether their personal data is being processed, and if so, access to that data and detailed information on, among others, processing purposes, categories of processed data, data recipients, and retention period.
   b) Right to rectification of personal data
3. The User has the right to request immediate rectification of inaccurate personal data and to complete incomplete data, including by submitting an additional statement.
   c) Right to erasure of personal data (“right to be forgotten”)
4. The User has the right to request deletion of their personal data if:
   • the data is no longer necessary for the purposes for which it was collected,
   • the User has withdrawn consent and there is no other legal basis for processing,
   • the User has objected to processing,
   • the data was processed unlawfully,
   • the obligation to delete results from legal regulations.
     d) Right to restriction of personal data processing
5. The User may request restriction of processing in situations where:
   • they contest the accuracy of personal data – for a period allowing the Administrator to verify its accuracy,
   • processing is unlawful, but the User opposes deletion and instead requests restriction of use,
   • the Administrator no longer needs the data for its purposes, but the User needs it to establish, exercise, or defend claims,
   • the User has objected to processing – until it is determined whether the Administrator’s legitimate interests override the User’s interests.
     e) Right to data portability
6. The User has the right to receive their personal data provided to the Administrator in a structured, commonly used, machine-readable format. The User also has the right to transmit this data to another controller without hindrance from the current Administrator, where technically feasible.
   f) Right to withdraw consent to personal data processing
7. The User may withdraw consent to the processing of their personal data at any time if processing was based on such consent. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
   g) Right to lodge a complaint with a supervisory authority
8. The User has the right to lodge a complaint with the President of the Personal Data Protection Office (PUODO) if they believe that the processing of their personal data violates data protection regulations.
9. Procedure for exercising User rights
   a) To exercise their rights, the User may contact the Administrator via the dedicated email address: kontakt@telewizjarepublika.pl or send a written request to the Administrator’s registered address.
    b) The Administrator reserves the right to verify the User’s identity before fulfilling the request, to ensure data security.
    c) The Administrator undertakes to consider the request and respond within no more than 30 days from receipt, in accordance with Art. 12(3) GDPR. In justified cases, this period may be extended by another 60 days, in which case the User will be informed of the reasons for the delay.
    d) If the User’s request is rejected, the Administrator will inform them of the reasons and the possibility to lodge a complaint with PUODO or take legal action.
10. Limitations on the exercise of User rights
     Some User rights may be subject to limitations resulting from legal regulations. For example, the right to erasure does not apply if processing is necessary:
     a) to fulfill a legal obligation requiring processing under EU or national law,
     b) to establish, exercise, or defend claims.
11. Security and confidentiality in exercising rights
     The Administrator implements appropriate technical and organizational measures to ensure secure exercise of User rights, in particular protection against unauthorized access, data loss, or unlawful processing.

§ 8 DATA SECURITY

Technical and organizational measures used by the Administrator
 The Administrator takes all necessary steps to ensure the highest level of security for Users’ personal data, in particular:
a) Data encryption – Data transmitted via the Website is protected using encryption technology (SSL/TLS), ensuring confidentiality and integrity.
b) Access restriction – Access to personal data is limited only to authorized persons who have been properly trained in data protection and have the necessary permissions.
c) Regular audits and security tests – The Administrator conducts regular audits and security tests, including penetration tests, to identify and eliminate potential system vulnerabilities.
d) Infrastructure security – The Website and personal data are stored on servers that meet high security standards, including system redundancy, protection against physical and cyber access.
e) Backups – Data is regularly archived and stored as backups, enabling quick recovery in case of system failures or security incidents.
f) Monitoring and incident response – The Administrator uses real-time monitoring tools to detect and counter potential threats, such as DDoS attacks, unauthorized access attempts, or malware.

Principles of responding to data protection breaches
 In the event of a data protection incident, the Administrator acts in accordance with legal requirements and internal security procedures:
a) Incident assessment – The Administrator promptly analyzes the breach to determine its nature, scope, and potential impact on Users’ rights and freedoms.
b) Notification of supervisory authorities – If the breach may result in a high risk to the rights and freedoms of individuals, the Administrator reports the incident to the relevant supervisory authority (President of the Personal Data Protection Office) within 72 hours of detection, in accordance with Art. 33 GDPR.
c) Notification of Users – If the breach may negatively affect Users (e.g. confidentiality breach, data theft), the Administrator promptly informs affected individuals, indicating:

• type of breach,
• potential consequences,
• remedial measures taken,
• recommendations for Users to limit potential consequences (e.g. password change, vigilance against phishing attempts).
  d) Remedial actions – The Administrator takes all possible steps to limit the effects of the incident and implement additional safeguards to prevent similar events in the future.

Confidentiality principles
 All personal data processed by the Administrator is treated as confidential and subject to special safeguards. Access to data is granted only to persons whose professional duties require data processing and who are obliged to maintain confidentiality under appropriate agreements and internal regulations.

Cooperation with external service providers
 The Administrator cooperates only with entities that ensure compliance with GDPR requirements and apply appropriate technical and organizational measures to protect data. All such entities act under data processing agreements concluded with the Administrator.

Staff education and training
 The Administrator provides regular training on personal data protection and information security for persons with access to data, to increase their awareness and competence in counteracting data protection threats.

Raising security standards
 The Administrator regularly reviews and updates procedures and safeguards in response to changing threats and technological developments, to ensure the highest level of User data protection.

§ 9 FINAL PROVISIONS

1. Right to modify the Policy
    The Administrator reserves the right to make changes to this Privacy Policy in the event of:
    a) entry into force of new legal regulations or amendments to existing ones affecting the scope of personal data processing,
    b) technological development, including the introduction of new tools or technical solutions used on the Website that may affect data processing,
    c) changes in the Website’s activities, including adding new functionalities or modifying existing ones that require adjustment of data processing rules.
2. Publication and entry into force of changes
    a) The amended Privacy Policy will be published in a way that ensures its availability to all Users on the Website.
    b) Changes take effect on the date of publication on the Website, unless another date is expressly indicated in the amended Policy.
    c) Users are encouraged to regularly review the Privacy Policy to stay informed of any changes.
3. Questions and contact with the Administrator
    Any questions, doubts, or comments regarding the content of this Privacy Policy, personal data processing rules, or the exercise of User rights may be addressed to the Administrator:
   a) Email address: kontakt@ttelewizjarepublika.pl,
   b) Inquiry service hours: Monday to Friday, 9:00–17:00,
   c) Response time: The Administrator undertakes to respond to inquiries as soon as possible, no later than 14 days from receipt.
4. Final provisions
    a) If any provision of this Policy is found to be invalid or ineffective by a competent authority, the remaining provisions shall remain in force.
    b) This Privacy Policy is governed by the law in force in the territory of the Republic of Poland.