1. General information

Benefit Systems SA with its registered office in Warsaw, Pl. Europejski 2, 00-844 Warszawa (“Benefit Systems”, “we”) takes personal data protection very seriously. We exercise due diligence to ensure that your personal data are processed in accordance with the applicable provisions of both Polish and European Union law, including the Regulation (EU) of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“the GDPR”).

This document sets forth the legal basis for the processing, collection and use of your personal data and the measures taken in this regard, and its purpose is also to inform you of your rights in relation to our processing of your personal data. Benefit Systems uses your personal data for the purposes set forth in this document or for any other purpose indicated at the time when you provide them.

2. What is the importance of personal data security for Benefit Systems?

Benefit Systems takes security of the data we hold very seriously. We have implemented the relevant policies and procedures, conduct training courses in data protection and regularly check the security models in place in terms of their adequacy for securing the data we process.

3. What are personal data?

Personal data mean any information relating to an identified or identifiable natural person (e.g. first name and surname, e-mail address, card number, IP address). Benefit Systems processes personal data for various purposes. Depending on the purpose, different legal bases for personal data processing, collection methods and storage periods may apply.

4. What is data processing?

Data processing includes all activities or operations which are performed on your personal data (e.g. collection, storage, erasure or analysis).

We strive to be transparent about the basis for, and the method of, processing your personal data.

It is our policy to collect only the personal data necessary for the purposes specified and to request such data from you only when absolutely necessary.

5. Who is the controller of your personal data?

The controller of your personal data is Benefit Systems.

6. What does this mean?

This means that Benefit Systems makes decisions about the purposes and methods of processing your personal data, i.e. the manner in which they will be used.

7. How to contact us to obtain more information about the processing of your personal data?

You can contact us as follows:

• by mail to the following address: Pl. Europejski 2, 00-844 Warszawa, in an envelope marked “Dane osobowe” [“Personal data”];
• by e-mail: daneosobowe@benefitsystems.pl;
• by phone at: +48 22 242 42 42;
• by using the contact form available at: https://www.benefitsystems.pl/formularz-dane-osobowe/.

or by writing to our Data Protection Officer at iod@benefitsystems.pl

8. How are your personal data processed?

The manner in which your personal data are processed depends on the relationship you have with Benefit Systems. Below, you will find information concerning the processing of personal data of the following categories of persons:

• MultiSport Card users (Section 9.1);
• representatives of an entity which is a party to an agreement concluded with Benefit Systems, e.g. of a Client, Partner (Section 9.2);
• persons making a request (including persons contacting us through our hotline or another dedicated contact channel) (Section 9.3);
• job applicants (Section 9.4);
• visitors to our premises (video surveillance) (Section 9.5).

The above list of categories is not exhaustive. If you do not belong to any of the groups listed above and would like additional information about the processing of your personal data, please contact us. You will find contact details in Section 7 above.

9. If you are…

9.1. A MultiSport Card user

How have your data been collected?

We have received them from your employer who provided us with your data, or directly from you via various channels of communication including: through the MultiSport Programme application form submitted to us via your employer, through the online platform on which cards can be ordered, and through the User Zone (in the case of sports card users).

What is the purpose and legal basis of the processing of your personal data?

We process your data because:

• you consented to this in order to enable the provision of a service related to your participation in the MultiSport Programme;
• we have a legitimate interest in the processing of your data in the form of direct marketing consisting in proposing new products or services or in order to improve the quality of our services by conducting analyses and statistics and measuring customer satisfaction with our services by way of contacting you through a communication channel of your choice;
• we have a legitimate interest in being able to exercise or defend legal claims;
• it is necessary for the performance of an agreement concluded with Benefit Systems (e.g. in order to maintain an account on our online platform).

We also process your data for tax and accounting purposes, since this is required by applicable laws.

If you have given separate consent for this, we process your personal data for the following purposes:

• holding contests and promotional campaigns you can take part in;
• marketing the products and services offered by our affiliates;
• after you have opted out of the MultiSport Programme, for direct marketing purposes consisting in proposing new products or services or in order to improve the quality of our services by conducting analyses and statistics and measuring customer satisfaction with our services by way of contacting you through a communication channel of your choice.

For how long are your personal data processed?

Depending on the purpose and basis, we store your data during the periods indicated below:

• in order to provide a service – until you opt out of the MS Programme or until you withdraw your consent, whichever occurs first;
• for direct marketing purposes based on our legitimate interest – until your card is deactivated or until you object to such processing, whichever occurs first;
• for direct marketing purposes based on your consent (i.e. after you have opted out of the MultiSport Programme) – until you withdraw your consent;
• for marketing the products and services offered by our affiliates based on your consent – until you withdraw your consent;
• in order to exercise or defend legal claims – until the claims limitation period has expired or until an effective objection to the processing of data has been lodged;
• for tax and accounting purposes – to the extent and for the period consistent with the applicable laws.

Who do we transfer your personal data to?

Your data may be transferred to the following entities: authorised employees and associates, Partners (sports and recreation facilities), the Client (your employer), entities which print your card, providers of additional services available under the MultiSport Programme, entities which service and maintain IT systems and terminals, entities which support electronic payment services, entities which provide services related to handling Users and supporting our marketing activities, entities which conduct audits. Your data may also be transferred to public authorities.

What rights do you have in connection with our processing of your data?

Your rights are described in detail in section 10 of this Policy.

Are your data transferred to countries outside the European Economic Area?

Your personal data are not transferred outside the European Economic Area (EEA). In some cases, your personal data may be transferred outside the EEA by the entity which has enabled you to use the Card. However, such transfer may only take place pursuant to GDPR provisions.

Are your personal data processed automatically (including by profiling), affecting your rights?

Based on your personal data, we conduct profiling, i.e. the automatic assessment of some of your personal characteristics. Profiling enables us to present you with customised offerings. Based on your profile, we are able to adjust our products to your expectations and preferences. In our profiling, we use data e.g. on the size of the entity which enables you to use the card, the size of the town or city in which you use the card, your use of sports facilities and the type of activities you engage in. In addition, we take statistical data related to the above information into account during profiling.

We do not make any decision concerning you which would be based solely on automated processing, including profiling, of your information and which would produce legal effects concerning you or similarly affect you in a significant way.

9.2. A representative of an entity which is a party to an agreement concluded with Benefit Systems, e.g. of a Client, Partner:

What is the purpose and legal basis of the processing of your personal data?

Your personal data are processed:

• in order to conclude an agreement with the entity you represent and to perform this agreement. The processing of your personal data is based on our legitimate interest in being able to contact the entity with which we have concluded an agreement;
• in order to exercise, establish or defend legal claims. The processing of your personal data is based on our legitimate interest in being able to defend against legal claims or exercise such claims;
• for tax and accounting purposes. The legal basis for data processing are legal obligations arising from tax laws (Tax Ordinance, Act on Value Added Tax, Act on Corporate Income Tax) and from accounting laws (Accounting Act);
• for direct marketing purposes consisting in Benefit Systems proposing new products or services or in order to improve the quality of our services by conducting analyses and statistics and measuring customer satisfaction with our services by way of contacting you through a communication channel of your choice. The legal basis for processing is your consent.

For how long are your personal data processed?

Depending on the purpose, we store your data during the periods indicated below:

• for purposes related to the conclusion and performance of the agreement – until the end of the agreement term;
• for direct marketing purposes – until you withdraw your consent;
• in order to exercise or defend legal claims – until the claims limitation period has expired or until an effective objection to the processing of data has been lodged;
• for tax and accounting purposes – to the extent and for the period consistent with the applicable laws.

Who do we transfer your personal data to?

Entities which process personal data on our behalf: authorised employees and associates, entities which service and maintain IT systems, providers of additional services available as part of collaboration with us (e.g. sports and recreation, training, multimedia and technological services), entities which support our marketing activities, Benefit Systems subcontractors within the scope of agreement performance, including the printing of cards and their delivery to recipients. Recipients of your data may also include entities which conduct audits and public authorities.

Are your data transferred to countries outside the European Economic Area?

Your personal data are not transferred outside the European Economic Area (EEA).

What rights do you have in connection with our processing of your data?

Your rights are described in detail in section 10 of this Policy.

Are your personal data processed automatically (including by profiling), affecting your rights?

Your data will be processed automatically, i.e. using IT systems, but they will not be subject to profiling.

We do not make any decision concerning you which would be based solely on automated processing, including profiling, of your information and which would produce legal effects concerning you or similarly affect you in a significant way.

9.3. A person contacting us through our hotline or another dedicated contact channel

How have your data been collected?

We have received them directly from you via various channels of communication, including:

• contact forms available on our website;
• phone contact with our hotline;
• e-mail contact to all e-mail addresses made public by us (e.g. daneosobowe@benefitsystems.pl, iod@benefitsystems.pl).

The provision of these data was not your obligation, but was necessary for us to handle your case.

What is the purpose and legal basis of the processing of your personal data?

We process your data for the following purposes:

• to handle the case submitted by you, including the provision of answer to your question – data processing takes place in response to your request and within the framework of our so-called legitimate interest, or possibly in connection with the fulfilment of a legal obligation imposed on us by applicable laws (e.g. where the case referred to above relates to your request to exercise your rights under the GDPR);
• archival and evidentiary purposes – data processing takes place within the framework of our legitimate interest in defending or exercising legal claims.

For how long are your personal data processed?

Your data will be processed during the period in which the case submitted by you is handled, and after its handling has been completed, until the claims limitation period related to the case has expired.

Who do we transfer your personal data to?

Recipients of your personal data may include our employees and associates, entities which service and maintain IT systems, entities which conduct audits and public authorities.

Are your data transferred to countries outside the European Economic Area?

Your personal data are not transferred outside the European Economic Area (EEA).

What rights do you have in connection with our processing of your data?

Your rights are described in detail in section 10 of this Policy.

Are your personal data processed automatically (including by profiling), affecting your rights?

Your data will be processed automatically, i.e. using IT systems, but they will not be subject to profiling.

We do not make any decision concerning you which would be based solely on automated processing, including profiling, of your information and which would produce legal effects concerning you or similarly affect you in a significant way.

9.4. A job applicant:

Information concerning our processing of job applicants’ personal data is available at:

https://www.benefitsystems.pl/o-nas/kariera/obowiazek-informacyjny-dla-kandydata/

9.5. A visitor to our premises (video surveillance)

What data do we process and where have we obtained them from?

We process information about your image, which has been recorded as part of the operation of our video surveillance system.

Your data was collected by us directly from you when you visited our registered office in Building C of the Warsaw Spire complex at Plac Europejski 2, 00-844 Warsaw, floors 11–14.

What is the purpose and legal basis of the processing of your personal data?

Your personal data are processed in order to ensure the safety of the persons present at our premises as well as to protect our property and keep secret information whose disclosure could be harmful to us.

For how long are your personal data processed?

We process your personal data for 14 days from the recording date. This period may be extended if the recordings are used as evidence in legal proceedings. In this case, we will process them until the legal proceedings have been finally concluded.

Who do we transfer your personal data to?

Recipients of your personal data may include our authorised employees and associates, entities which service and maintain IT systems and public authorities.

Are your data transferred to countries outside the European Economic Area?

Your personal data are not transferred outside the European Economic Area (EEA).

What rights do you have in connection with our processing of your data?

Your rights are described in detail in section 10 of this Policy.

Are your personal data processed automatically (including by profiling), affecting your rights?

We do not make any decision concerning you which would be based solely on automated processing, including profiling, of your information and which would produce legal effects concerning you or similarly affect you in a significant way.

10. Rights of the data subject:

You have the following rights in relation to our processing of your personal data:

• the right to access your data – you have the right to access the data we process;
• the right to request the rectification of your personal data – you can update the personal data provided to us. Depending on the purpose of processing, changes may be made pursuant to the terms and conditions of the service you use or by contacting us pursuant to Section 7 of this Policy;
• the right to withdraw consent to the processing of your personal data – if we process your personal data on the basis of your consent, you have the right to withdraw this consent at any time. Note, however, that this does not affect the lawfulness of our processing of your data before you withdrew your consent. You can withdraw your consent to the processing of your personal data by contacting us in the manner set forth in Section 7 of this Policy.
• the right to object to the processing of your data – you have the right to object to the processing of your personal data when processing is based on a legitimate interest, and the objection is justified by your particular situation.

In the case of data processing for direct marketing purposes, including profiling for such purposes, you may object at any time.

• the right to request that the processing of your personal data be restricted – you have the right to restrict the processing of your personal data at any time, unless such processing is required by applicable laws. In this case, we will restrict such processing to data storage unless it is necessary for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person.
• the right to personal data portability – you have the right to receive your personal data from us in a structured, commonly used and machine-readable IT format. You can transmit those data to another data controller or request that we transmit your data to another data controller, but we will only do so if this transfer is technically feasible.
• the right to request the erasure of your personal data – you can submit a request that your data be erased and if your data are no longer necessary in relation to the purposes for which they were collected, we will erase them.

In order to exercise these rights, please contact us or our Data Protection Officer in one of the ways set forth in Section 7 of this Policy. Your request will be handled without undue delay and in any event within one month of its receipt. Should this period be extended, we will inform you of any such extension and the reasons for the delay.

• the right to lodge a complaint with a supervisory authority competent for data protection.

11. Changes to this document

We will regularly review and update this document in connection with amendments to applicable laws and any new measures we may take to improve the security of your personal data.

This document was last updated on 10/06/2019.

12. Contact us

If you have additional questions concerning the scope of the Privacy Policy, you can submit them using the contact form available at https://www.benefitsystems.pl/formularz-dane-osobowe/

Please indicate the topic of your message in the contact form, which will enable us to handle your request more efficiently.

13. FitSport Polska sp. z o.o.

The rules contained in this policy shall also apply to FitSport Polska sp. z o.o. with its registered office in Warsaw, address: Plac Europejski 2, 00-844 Warszawa, entered in the Register of Entrepreneurs by the District Court for the Capital City of Warsaw in Warsaw, 12th Commercial Division of the National Court Register under No. KRS 0000422757, NIP [tax identification number]: 5252532584, REGON [statistical identification number]: 146231491, with a share capital of PLN 50,000.00, which is an active VAT taxpayer.

 

Websites and webpages of Benefit Systems SA with its registered office in Warsaw (“Benefit Systems”) may send and use cookies and other similar technologies. This Policy on cookies shall apply, without limitation, to the following websites (“Websites”): www.benefitsystems.pl, www.kartamultisport.pl, www.emultisport.pl, and possibly also to other Websites if these refer to its provisions.

Below you will find information about the cookies we use, the Local Storage technology, and also additional important information on how the Websites operate, including information on web push notifications.

What are cookies and what do we use them for?

Cookies are text files which are stored on your terminal equipment (computer, laptop, smartphone, etc.) via your browser. When you visit the Websites, your browser sends this file and this enables us to recognise it during each visit. Cookies are necessary to enable the user to navigate the Websites and use their resources. In addition, by collecting information on how users use the Websites, cookies ensure the proper operation of the Websites and improve their performance, allowing the required information to be found more quickly.

What types of cookies do we use?

Session cookies

Session cookies are temporary files which are stored from the moment you access the Website but only until you close your browsing session or until you close the browser itself.

Permanent cookies

These are cookies which make it easier to use the Websites, and they are stored for an extended period of time. The Websites store cookies with information about:

• whether the message concerning cookie management has been displayed. This file is kept for one year from the moment it is saved on your terminal equipment;
• the town/city in which you are located, provided that you have consented to your location being disclosed.

The www.kartamultisport.pl website additionally uses a cookie to store information about:

• the application status, including whether you have read our tutorial on how to use the search engine. Information on application status is stored until you change your browser settings.

Third-party cookies

These are files which originate from external websites that cooperate with our Websites. Our Websites use certain files to collect statistical information on how you use them. These cookies are stored from the moment you visit our platform.

For this purpose, we use tools which help us understand the needs of users of our Websites:

1. Google Analytics – it is a tool used to count visits to the Websites, measure their duration and determine which functionalities or sections of the Websites are most frequently used or visited and how they are used by individual users. The information collected in this manner allows us to analyse the performance of the Websites and determine the directions for the development of new functionalities and services. For further information, please refer to the Google Analytics Cookie website. You can opt out of the storage of cookies from Google Analytics on your device at this address.
2. Hotjar – it is a tool that uses cookies and other technologies to collect data about:
   1. our users’ behaviour on our webpages, e.g. the time spent on individual webpages, most frequently used links, problems encountered – this allows us to develop and maintain the Websites in accordance with our users’ preferences;
   2. our users’ devices, including without limitation the IP address of the device (this is only captured and stored in anonymised form), device screen size, device type (unique device identifiers), browser information, geographical location (country only) and the preferred language used to view our website.

Hotjar stores this information in a pseudonymised user profile. Neither Hotjar nor we will ever use this information to identify individual users or to match it with further data on an individual user. For further details, please see Hotjar’s privacy policy by clicking on this link.

3. Synerise – a tool provided by Synerise S.A. which supports activities aimed at automating marketing and sales processes, including the processing of marketing and sales data and conducting their complex analytics using a multi-channel model, by collecting information on the behaviour of visitors to our Websites.

Advertising cookies

These files are responsible for displaying ads which are tailored to your preferences. Both our cookies and third-party cookies (e.g. from Google Adwords) are used to conduct marketing campaigns and remarketing campaigns that reach you with our marketing messages if you have visited our Websites before. These cookies remember that you have visited our Websites and also your activities on our Websites. The information collected in this manner is passed on to third-party suppliers.

Managing analytical cookies

You can opt out of the anonymous recording of your activities on websites in analytical cookies. The privacy policies of our service providers and information on how to opt out of their cookies can be found at the following addresses:

• Adobe: http://www.adobe.com/privacy/opt-out.html
• Google Analytics: http://www.google.com/analytics/learn/privacy.html
• Hotjar: https://www.hotjar.com/legal/compliance/opt-out and https://www.hotjar.com/legal/policies/privacy.

Are cookies dangerous?

No, since cookies are not computer programs and cannot be used as code. They do not spread viruses and each user can manage the cookies stored on his or her terminal device. Moreover, cookies only store data snippets which do not allow the user to be fully identified.

Managing cookies

We only use cookies with the user’s consent. You may at any time disable or modify the storage of cookies on your terminal device by changing the appropriate settings in your web browser. By default, the web browser allows files to be saved on your terminal device, and thus enables us to process the data stored in these files.

As cookies are also used to remember your cookie preferences, you should be aware of the consequences of changing the relevant settings, including without limitation:

1. If you disable the storage of cookies on your terminal device, it may not be possible to log in to the www.kartamultisport.pl website and use its functionalities.
2. If you use a different terminal device, a different profile on your computer or a different web browser, you will need to set your cookie preferences again.

For detailed information on how to manage cookie settings, we recommend that you follow the instructions for the web browser you are using:

• Internet Explorer
• Chrome
• Safari
• Firefox
• Opera

For mobile devices:

• Android
• Safari
• Windows Phone
• Blackberry

Additional important information concerning Website operation:

Local Storage

The Websites also use a technology called Local Storage. Local Storage is a location where information is stored in your browser. In this location, we save the information about the MultiSport cards you have selected so that you do not have to re-select them when you visit next time.

We also store your searches in Local Storage so that when you re-enter them they will appear in prompts and thus your search will be faster.

Local Storage stores data indefinitely until you restore default settings or make manual changes to your browser cache. You will find the relevant instructions on the help page of the browser you are using.

Web push notifications (used only on the kartamultisport.pl website):

What are web push notifications?

Web push notifications are short messages which appear on your device’s screen.

For us, they are a marketing tool which supports our communication with you. For you, they are a source of information on our services, including news, facilities and seasonal activities, campaigns, competitions or events.

How can I turn them on?

We need your consent to send you web push notifications. When you visit www.kartamultisport.pl, we will ask you whether you want to receive notifications from us. We will also ask you to read the information presented here. If you are interested, click “Zgadzam się”/“I agree”, which will allow us to send you content which may interest you even after you have left our website.

What information about you (your personal data) do we have in connection with sending notifications?

If you have agreed to receive notifications, we have the following information:

• the date and time of your subscription for push notifications;
• the location related to your browser settings;
• browser type and identifier (a randomly assigned number), operating system, type of device (tablet, mobile, desktop);
• the actions which you take on our website: the pages visited and links clicked.

The scope of data we hold does not allow us to identify you unambiguously. However, since in certain circumstances this information may be considered personal data, we process them pursuant to GDPR provisions.

What is the purpose and legal basis of the processing of your personal data?

The purpose of processing your personal data is to market our products and services. Since the services referred to above may be the result of our collaboration with our affiliates, the messages which we will send to you with your consent may include commercial and marketing information both from us and from our affiliates.

The legal basis is our legitimate interest and your consent.

How can I opt out of notifications?

You can withdraw your consent and thereby opt out of receiving notifications at any time. In order to do this, you just need to change the settings of your web browser. You can do this e.g. as follows:

• Google Chrome

Go to Browser settings > Advanced > Content settings > Notifications. In the browser address bar, the following address will be displayed: chrome://settings/content/notifications The list will include all websites on which you agreed to push notifications. If you want to unsubscribe, just select Remove from the menu.

• Firefox

Under Options > Privacy and security, there will be the Permissions > Notifications section. In the list, find the pages whose notifications you want to unsubscribe, and then select Block.

• Chrome Android

After entering Chrome, click More > Settings > Notifications to the right of the address bar. In the list, find the pages whose notifications you want to unsubscribe, and then untick them.

For how long are your personal data processed?

We process your data until you withdraw your consent to receive push notifications. Above, we describe the manner in which you can withdraw your consent.

Who do we transfer your data to?

Recipients of your data are our authorised employees and associates and also the entity which provides us with a platform for sending web push notifications.

Are your data transferred to countries outside the European Economic Area?

We do not transfer your data outside the European Economic Area.

Are your personal data processed automatically (including by profiling)?

Your data is processed automatically, including by profiling. Based on your profile, we are able to adjust our messages to your expectations and preferences. For example, you will receive messages about products you are interested in or about events which take place in your area. For profiling, we use information about your activities on our website as well as information about your location (if you provide it to us).

We do not make any decision concerning you which would be based solely on automated processing, including profiling, of your information and which would produce legal effects concerning you or similarly affect you in a significant way.

What rights do you have in connection with our processing of your data?

Your rights arising from our processing of your personal data are described in detail in Section 10 of the Privacy Policy.

Google Tag Manager

The website uses Google Tag Manager. This service enables the administration of website tags via an interface. Google Tool Manager only implements tags. This means that no cookies are set and no personal data are collected. Google Tool Manager activates other tags, which in turn may collect data as needed. However, Google Tool Manager does not gain access to these data. Any deactivation on the domain or cookie level remains in effect for all tracking tags if they are implemented in Google Tag Manager.

As the Website operator, Benefit Systems has implemented solutions required by the Directive on privacy and electronic communications (Directive of the European Parliament and of the Council), which covers the use of cookies, because it uses best practices to treat its customers fairly and openly.