Version valid as of 1 June 2022
Table of contents:
If you want to go to the selected section, click on the link below:
We treat personal data protection at Benefit Systems S.A. ("Benefit Systems", "we") very seriously. We exercise due diligence to ensure that your personal data are processed in accordance with the applicable provisions of both Polish and European Union law, including the Regulation (EU) of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”).
Below you will find information on how we process your data, in particular the legal basis for processing, methods of collecting and using your personal data and your rights in connection with the processing of your personal data.
The Controller of your personal data is Benefit Systems (Benefit Systems S.A. with its registered office in Warsaw, at Plac Europejski 2, 00-844 Warszawa).
This means that Benefit Systems makes decisions about the purposes and methods of processing your personal data, i.e. the manner in which they will be used.
You can contact us in any of the following ways:
• using the contact form
• via e-mail to: firstname.lastname@example.org
• via the e-mail address dedicated to customers of our fitness clubs: email@example.com
• by post to: Benefit Systems S.A. Pl. Europejski 2, 00-844 Warszawa, in an envelope marked “Personal data”.
Contact with the data protection officer
We have designated a personal data officer, who can be contacted in any matters concerning the processing of your personal data. You can do this by e-mail to: firstname.lastname@example.org Benefit Systems S.A. Pl. Europejski 2, 00-844 Warszawa, in an envelope marked “IOD”.
To be able to do our business, we need to process personal data. Personal data are any information relating to an identified or identifiable natural person (e.g. first name and surname, e-mail address, MultiSport card number, IP address).
As a rule, you provide us with your data on your own, e.g. when contacting us or using our services.The types of personal data we process depend on your relationship with us (whether you are a customer, website user, MultiSport card user, or partner).
When you use our websites or applications, we process the data that you have provided in the registration form and in the account, data about your activity on the website or application (e.g. interaction with content, etc.) and data about your device (i.e. IP address, data collected by means of cookies or other similar technologies, browser data, IDs). To find out more about cookies, go to our “Cookies Policy” [link]
When you join the MultiSport Programme or the MultiLife Programme, use our Cafeteria, sign a Fitness Club subscription or use our other services (such as BenefitLunch, MultiBilet, or MultiTeatr), we process your data, such as identification data, contact details and data relating to your use of our services (including the services of our affiliated entities and providers of additional services offered in connection with the MultiSport Programme, MultiLife, our Cafeteria, a membership card of our Fitness Club or our other services). We receive the data directly from you, e.g. through the registration form or when signing the contract at the Fitness Club of your choice or on the Club's website. We may also receive your data from the entity that has enabled you to use the MultiSport Programme, MultiLife Programme, Cafeteria or our other services, and from providers of additional services and benefits.
When we have a business relationship with you, we process your data, such as your identification data, contact data, data relating to your function, data on the cooperation, orders and settlements. If you are a party to a contract with us, we have received the data directly from you. If you are a representative or a contact person of an entity that is a party to a contract signed with Benefit Systems, we have received the data from the entity that is a party to the contract. We could also receive data from an intermediary that helped us establish the cooperation with you or an entity for which you are a representative or contact person.
The manner in which your personal data are processed depends on the relationship you have with Benefit Systems. Below you will find information on the purposes for which we usually process personal data.
If you cannot find below any description that would fit our relationship, and you would like to get additional information about how we process your data, please contact us. You can find contact details above in section How to contact us? [link]
It may happen that due to the specific nature of your use of our services, we might process your personal data in a manner other than that indicated below. In that case, we will inform you of such processing before it starts.
Purposes of the processing:
Provision of services as part of our websites or mobile applications
Performance of a contract for provision of services by electronic means in accordance with a terms of service (Article 6(1)(b) of the GDPR);
Administering the infrastructure and ensuring security of the infrastructure and the services provided
Our legitimate interest connected with administering and ensuring security of infrastructure and services (Article 6(1)(f) of the GDPR);
Facilitating the use, keeping statistics, as well as improving and developing our services, including websites and applications
Our legitimate interest connected with adaptation, improvement and development of our services (Article 6(1)(f) of the GDPR);
Providing services or tailored marketing content that uses special categories of data (e.g. health data)
Your explicit consent (Article 9(2)(a) of the GDPR);
Showing you, in the search engine or in the application, facilities that are closest to your location
Our legitimate interest connected with helping you find a facility, subject to your consent for our access to location data (Article 6(1)(f) of the GDPR);
Conducting a competition or lottery, including selecting a winner, handing over prizes, publishing the winner's personal data
Our legitimate interest connected with organisation of the competition or lottery (Article 6(1)(f) of the GDPR);
Running our websites in social media
Our legitimate interest connected with promoting our products and services (including those prepared together with counterparties), as well as products and services of third parties, including companies from the Benefit Systems Group, and keeping statistics on the use of our websites (Article 6(1)(f) of the GDPR);
Provision of services related to the participation in the MultiSport or MultiLife Programme
Your consent (Article 6(1)(a) of the GDPR);
Provision of services related to the use of the Cafeteria and other services (such as BenefitLunch, MultiBilet, MultiTeatr)
Performance of the contract between you and Benefit Systems (Article 6(1)(b) of the GDPR);
Our legitimate interest connected with the provision and settlement of services (Article 6(1)(f) of the GDPR);
Provision of services related to your use of our Fitness Club or other services when you enter into a contract with us
Performing the contract between you and Benefit Systems, e.g. the contract for the provision of services by our Club (Article 6(1)(b) of the GDPR);
Your consent relating to the processing of your image or fingerprint to identify you when entering our Club (Article 6(1)(a), Article 9(2)(a) of the GDPR);
Our legitimate interest (Article 6(1)(f) of the GDPR) connected with promoting our products and services, as well as products and services of third parties, including companies from the Benefit Systems Group
Displaying advertisements or offers to you that may be tailored to your interests, activity on websites and applications, or your location
Providing you with marketing content (tailored or not), using the communication channel of your choice (e.g. e-mail, SMS/MMS, telephone) concerning our own products and services, as well as products and services prepared together with counterparties of Benefit Systems, which are offered to our users and customers as additional benefits (e.g. dietary, coaching, educational and development services) or products and services of third parties, including companies from the Benefit Systems Group. You can find a list of third parties here.
Our legitimate interest (Article 6(1)(f) of the GDPR) connected with presenting you with marketing content, including content tailored to you on the basis of profiling, in connection with your consent to the use for this purpose of the communication channel of your choice.
Providing you with marketing content as part of a business relationship concerning our own products and services, as well as products and services prepared together with counterparties of Benefit Systems, which are offered to you as additional benefits (e.g. dietary, coaching, educational and development services) or products and services of third parties, including companies from the Benefit Systems Group. You can find a list of third parties here.
Your consent (Article 6(1)(a) of the GDPR) our legitimate interest (Article 6(1)(f) of the GDPR) connected with presenting you with marketing content, including content tailored to you on the basis of profiling, in connection with your consent to the use for this purpose of the communication channel of your choice (depending on the information provided at the consent gathering stage)
Conducting analytics, marketing statistics and surveys of service satisfaction and profiling, i.e. using data about your interests in order to provide you with tailored offers and content
Our legitimate interest (Article 6(1)(f) of the GDPR) connected with evaluating the efficiency of marketing activities, improving the quality of our user service, and improving our products and services. Your explicit consent relating to special categories of personal data (Article 9(2)(a) of the GDPR);
Performing a contract and conducting cooperation with counterparties, customers and partners
When you are a party to a contract with Benefit Systems, we process your data as this is necessary for the performance of the contract (Article 6(1)(b) of GDPR);
When you are a representative or a contact person of our counterparty, we act on the basis of our legitimate interest consisting in the ability to correctly enter into and perform the contract and cooperate with our counterparty (Article 6(1)(f) of the GDPR);
Handling a matter you have raised, including answering a question you have asked or examining a complaint you have submitted.
Our legitimate interest (Article 6(1)(f) of the GDPR) connected with handling inquiries or complaints addressed to us and ensuring the highest quality of service;
Fulfilment of the legal obligation (Article 6(1)(c) of the GDPR) imposed on us by law (e.g. where the matter you have referred to us constitutes a request to exercise your rights under the GDPR);
Implementation of legal obligations, particularly those arising from tax and accounting laws
Applicable law (Article 6(1)(c) of the GDPR);
Exercising, establishing or defending legal claims
Our legitimate interest consisting in the ability to establish or defend a legal claim (Article 6(1)(f) GDPR);
We store your data for a period necessary to achieve the processing purposes outlined above in the section How do we process your personal data? [link]. We will delete the data when they are no longer needed for the above purposes. We store your data in particular:
• to perform the contract and provide services until the contract has been performed or the service provision has ended, and subsequently for a period necessary for effective investigation or defence against claims, which is usually 3 or 6 years, but may be shorter or longer in certain situations provided for by law;
• when law imposes certain obligations on us, in particular tax and accounting obligations, we will process the data necessary for the performance of those obligations for the period required by law;
• when we process data on the basis of your consent, we will process them no longer than until you withdraw your consent;
• when we process data on the basis of a legitimate interest, we will process them no longer than until the objection is effectively raised, unless the data are no longer necessary for the performance of our legitimate interests.
Information on our processing of personal data of job applicants is available at http://www.benefitsystems.pl/o-nas/kariera/obowiazek-informacyjny-dla-kandydata/.
The way in which we process personal data for marketing purposes depends on the type of relationship between us (e.g. whether you have signed up on our website or mobile application, whether you are our customer or counterparty) and the consents you have given us.
Our marketing activities may include displaying advertisements to you on websites or applications, presenting offers or advertisements via a communication channel such as e-mail or telephone (if you have authorised us to deliver marketing content to you via the communication channel of your choice, e.g. e-mail, SMS/MMS, telephone, push notifications), traditional marketing mailings, conducting analyses and statistics for marketing purposes and conducting service satisfaction surveys, including by contacting you by means of the communication channel of your choice. We can also perform profiling for marketing purposes.
We may process your personal data for marketing purposes, including for profiling, in the following cases:
• if you consent to the storage of cookies or similar technologies on your device, we may use the information collected by means of those technologies to provide you with advertisements or offers tailored to your potential interests identified on the basis of the content you view and your activity. For example, if you browse pages related to MultiSport packages, we will be able to display you an advertisement for MultiSport or our other services on other websites and in applications;
• if you are a registered user of our website or application and you log in to your account, we will be able to associate information on the content you viewed with you, and use it for profiling purposes to better adjust our marketing communication and offer for you;
• if you have authorised us to deliver marketing content to you via the communication channel of your choice
• if we concluded a contract or cooperate
• if you agree to our use of information about the location of your device (e.g. smartphone), we will be able to display to you advertisements or offers relevant to your location. For example, we will be able to show you an invitation to an event held to celebrate the opening of our new fitness club nearby;
• to conduct analyses and statistics for our marketing needs and to test your satisfaction with the services we offer by contacting you via the communication channel of your choice.
We can also present you with unprofiled advertisements and offers.
What is profiling for marketing purposes?
Our processing of your personal data for direct marketing purposes involves profiling.
Profiling is the use of automatic processing of your data to draw conclusions about your potential interests and preferences. By profiling, we can match products, offers and advertisements to you in the best way possible. As part of profiling, we can also combine information that you leave us when using our different products and services, such as information that you leave when visiting our website or application, using the MultiSport or MultiLife Programme, the Cafeteria, or the services of our Fitness Club.
For profiling, we use tools provided by specialised third parties. See our “Cookies Policy” [link] for more information about our partners and the possibility of adjusting your advertising preferences. We seek to ensure that profiling brings you clear benefits: offers, promotions and advertisements that you may find interesting. In this way, we want to ensure we do not present you with content that might be inappropriate or unattractive for you. Example: if we determine that you are a woman and as part of the MultiSport Programme you regularly attend dance classes in a particular location, this will give us a signal that you may be interested in new dance classes in your favourite location, but you are probably not interested in martial art classes in another, distant city.
Our legitimate interest and your interests, rights and freedoms
We process your personal data for marketing purposes, including profiling, based on our legitimate interest. For this reason, we have assessed whether your interests, rights and freedoms (e.g. the right to privacy) outweigh our interests. This assessment has shown that we can process your personal data in the indicated manner, because:
• we process your personal data for marketing purposes only when we find that you can reasonably expect that processing (e.g. you are a user of the MultiSport card or Fitness Club subscription, you sign up on our website or in our application, and consent to receiving marketing e-mails from us);
• we will send you marketing communications via e-mail, SMS/MMS or phone calls only with your consent;
• we will send you marketing communications about products or services of third parties not affiliated with Benefit Systems via e-mail, SMS/MMS or phone calls only if you separately consent to those communications;
• we enable you to easily object to the processing of your personal data for direct marketing purposes, and we inform you about this right;
• our profiling for marketing purposes does not excessively interfere with your privacy. We focus on what products or services available on our offer you may find interesting. We do not want to provide you with content that you might find unattractive. Based on our profiling, we do not take any decisions against you with adverse legal effects (e.g. refusal to conclude a contract) or that might significantly affect you in a similar way.
• we use technical and organisational measures that adequately protect your personal data.
Our Facebook pages
With regard to data processing for statistics purposes as part of our Facebook pages, we and Facebook Ireland act as joint controllers of your data. The joint controller arrangements can be found at www.facebook.com/legal/controller_addendum
When we use Facebook products, we do so in accordance with Facebook's rules. To find out more about page statistics, go to: www.facebook.com/legal/terms/information_about_page_insights_data
For more information on how Facebook Ireland processes personal data, the legal basis for processing and how to enforce the rights of data subjects against Facebook Ireland, see the "Data Policy" of Facebook Ireland at www.facebook.com/about/privacy
Social media plugins and codes
Remember, if you sign up and log in using external authentication services offered by Facebook, Google, Apple or others, we will receive your personal data, notably your name, surname/ username, profile photo, ID, and authorisation details for a given platform. Depending on your privacy settings in the indicated external platform, we can also receive other data. Before using this service, read the terms and conditions for using the data by the external platform.
In addition, we place social media buttons and codes on our websites and in our applications. When you are redirected to a given social media portal by clicking one of those buttons, you can, for example, like or start following our website. Your activity and personal data are then also processed by the entity operating the portal and are used by that entity for its own purposes, e.g. for marketing. Your activity on pages containing codes and your personal data are collected by entities running social media portals, in particular for statistical purposes and to check whether you are a logged user of this portal, and to enable the provision of services (e.g. logging in by means of your social media account). The data are also further processed for other purposes specified by those entities. This applies to all users of our websites, regardless of whether they are registered users of those social media portals.
We process and enable social media portals to access specified data based on our legitimate interest (Article 6(1)(f) of the GDPR). This consists in enabling you to share your content of interest on social media, facilitating your logging in, and promoting our business, services and products. Detailed information on the processing of your personal data and the method of exercising your rights related to data processing by social medial portals are described in the privacy policies of respective portals. Please read them.
As a rule, providing personal data is not compulsory, but may be necessary for you to use the services provided by Benefit Systems, e.g. to enter into an agreement with us, to participate in our competitions or to have a matter your raise examined. Therefore, your failure to provide your data may in some instances make it impossible for us to provide services or undertake other actions. Our forms used to collect data clearly indicate the data the provision of which is necessary.
Your personal data may be disclosed to the following entities: entities from Benefit Systems Group companies [link], hosting and maintenance service providers for our websites and applications, ICT and IT support and security service providers, data storage and destruction service providers, providers of services that are in addition to the services we provide you with, our Partners (sports and recreation, entertainment, and cultural facilities, hotels, offices and tourist intermediaries), entities that have enabled you to use the MultiSport Programme, MultiLife, Cafeteria or other services (usually your employer or the employer of the person who reported you to the MultiSport or MultiLife Programme), card printers, social network operators, payment operators, firms supporting us in debt collection, entities providing services related to serving our clients, and to other stakeholders (e.g. couriers) and to those entities which support our marketing activities, as well as to legal advisors and auditors.
Your data may also be disclosed to public authorities in cases provided for by law.
As a rule, your personal data are not transferred outside the European Economic Area (EEA). Some of the parties to whom we may provide data are established outside the EEA. We make every effort for the provision of data to be lawful and that all relevant safeguards are in place. Such efforts include in particular application of standard contractual clauses approved by the European Commission. You can contact us to obtain copies of the implemented safeguards. You can find contact details above in section How to contact us? [link]
You have the right to:
• access to your personal data, obtain information from us about their processing, as well as receive a copy of your data from us;
• update your personal data or request their rectification if they are incorrect;
• withdraw your consent to personal data processing at any time. This will not affect the lawfulness of our processing on the basis of the consent prior to its withdrawal;
• object to the processing of your data when the processing is based on a legitimate interest, and the objection is justified by your particular situation;
• object to the processing of your personal data for direct marketing purposes, including profiling;
• request restriction of processing of your personal data if (1) you question the accuracy of your data (for a period enabling us to verify the accuracy of the data); (2) the processing is unlawful and you oppose the erasure of your personal data and request restriction of their use instead; (3) we no longer need your personal data for our purposes, but these data are needed by you for the establishment, exercise or defence of legal claims, or (4) you have objected to the processing of your data – until the objection is found effective;
• personal data portability – with respect to the processing of your data based on your consent or an agreement, you have the right to receive your personal data from us in a commonly used and machine-readable computer format. You can also request that we transfer your data to another data controller, but we will only do so if this transfer is technically feasible;
• request erasure of your personal data – you may request us to erase your data in the following cases: (1) if your data are no longer necessary for the purposes for which they are processed; (2) you have withdrawn the consent on which the processing is based, and there is no other basis for processing; (3) you have effectively objected to the processing; (4) your personal data have been unlawfully processed; (5) your data must be erased because we are required to do so by law.
To exercise the above rights, please contact us or our data protection officer. You can find contact details above in section How to contact us? [link]
Your request will be handled within one month of its receipt. When we need more time, we will inform you about the prolonged time for considering your request and about the reasons for the prolongation. If your request is manifestly unjustified or excessive, we may refuse to take the requested actions.
You also have the right lodge a complaint with a supervisory authority competent for data protection in the EU Member State of your habitual residence, place of work or place of the alleged infringement. In Poland, the supervisory authority is the President of the Personal Data Protection Office. To learn more about lodging complaints with the President of the Personal Data Protection Office, please visit the following page: uodo.gov.pl/pl/83/155
We will regularly review and update this Policy in connection with amendments to applicable laws and any new measures we may take to improve the security of your personal data.a