for www.shop-tzn.pl being property of Tatrzanski Zwiazek Narciarski
with registered office in ul. Br. Czecha 1, 34-500 Zakopane
Data Privacy Statement
This Privacy Notice is intended to give you an overview of how we use the personal data provided by you. Furthermore, it should provide you with information regarding marketing measures on our website and social media in accordance with the General Data Protection Regulation (hereinafter “GDPR”).
We would also like to inform you about the precautions we take to protect your personal data and about which rights and options you have to view your data and to protect your privacy.
This Privacy Notice contains information about which personal data we collect from you, how we process them and to which third parties we may forward your data.
This Privacy Notice applies to the visit and use of www.shop-tzn.pl website on which a customer account can be created and tickets can be purchased at our online ticket shop.
Regarding the terms used, such as “processing” or “Controller”, we refer to the definitions in Art 4. GDPR.
Who is responsible for the data processing, and whom can you contact?
We, TZN, are the Controller for the processing of your personal data, within the meaning of the GDPR.
Controller responsible for data processing
TZN – Tatrzański Związek Narciarski
ul. Br. Czecha 1, 34-500 Zakopane
E-mail – firstname.lastname@example.org; www.shop-tzn.pl
Data Protection Officer
TZN – Tatrzański Związek Narciarski
ul. Br. Czecha 1, 34-500 Zakopane
E-mail – email@example.com; www.shop-tzn.pl
For what purposes and on what legal basis are your personal data processed?
- Based on your consent (Art. 6 (1) (a) GDPR)
We process your personal data based on your consent if you register for a customer account on our website (optionally with Facebook login), use our comments function, participate in competitions, subscribe for our newsletters or in any case in which an explicit consent is required (e.g. Art. 9 (2) (a) GDPR).
If you have given us your consent to process your personal data, processing will only take place in accordance with the purposes defined and to the extent agreed in the declaration of consent. Consent given may be withdrawn at any time without giving reasons and with future effect, if you no longer agree to the processing.
- For compliance with contractual obligations (Art. 6 (1) (b) GDPR)
Processing of personal data takes place in connection with account management, for the performance of our contract with you (e.g. performance of our services, ticketing services, contacting because of complications regarding the payment processes, reserve transactions of payments, customer support, etc.) and for execution of your orders as well as all tasks necessary for the operation and administration of our company.
- For compliance with legal obligations (Art. 6 (1) (c) GDPR)
Processing of personal data may be necessary for compliance with various legal obligations with regard to contract management, accounting and invoicing.
- To protect the Controller’s legitimate interests (Art. 6 (1) (f) GDPR)
Where necessary, data processing may take place beyond the actual performance of the contract as part of a balancing of interests in favour of TZN, in order to protect our legitimate interests or those of third parties.
Such processing of data takes place in the following cases:
- Mailing of information regarding the upcoming event for which tickets were purchased;
- Mailing of an invitation to rate a visited event (participation is optional);
- Mailing of information regarding similar events;
- Mailing of reminders for booked events;
- Mailing of information regarding upcoming events;
- Purpose of marketing, analysis and advertisements;
- Measures for protecting customers and their employees as well as company property;
- Fraud detection and prevention measures;
- IT Security; and
- In the context of legal proceedings.
Who receives your personal data?
The transmission of your personal data takes place for the purpose of contracting with you on the basis of Art. 6 para 1 (b) GDPR, based on our legitimate interest to improve and promote our products, based on Art. 6 para 1 (f) GDPR, and, if you have given us your consent to the processing of your personal data, based on your consent within the meaning of Art. 6 (1) (a) GDPR.
The protection and confidentiality of your personal data is important to us. Therefore, we transfer your personal data only to the extent described below or within the scope of an instruction at the time the data are collected. In addition, personal data that we collect concerning you will neither be sold by us nor otherwise disclosed.
- Transfers to processors
To a limited extent, we pass on personal information to processors who perform services for us such as performance of contracts, payment order, account management, accounting and invoicing, sending newsletter as well as IT services such as management of our platform and databases, providing tools for our products and services, for the purpose of marketing and analysis.
Processors may only use or disclose these data to the extent absolutely necessary to perform services for us or to comply with legal rules. We contractually oblige these processors to ensure the confidentiality and security of the personal data that they process on our behalf.
- Other transfers
We may also transfer personal information concerning you (i) if we are required to do so by law or in the context of legal proceedings, (ii) if we believe that disclosure is necessary to prevent damages or financial loss, or (iii) in connection with an investigation into suspected or actual fraudulent or illegal activities.
Are data transferred to a third country or an international organisation?
If we process personal data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of the use of third party services or disclosure and/or transfer of personal data to third parties, we shall only transfer personal data to comply with our (pre)contractual obligations, based on your consent, a legal obligation or our legitimate interests. Subject to legal or contractual authorisations, we process or have personal data processed in a third country only where the particular conditions of Art. 44 et seq GDPR are met. This means, for example, that processing and the transfer is carried out on the basis of special safeguards, such as the officially recognised setting of level of data protection corresponding to the EU (e.g. for the USA by the “Privacy Shield”) or compliance with officially recognised special contractual obligations (known as “standard contractual clauses”).
For how long are personal data stored and processed?
We process your data for the duration of the entire business relationship (from initiation through performance to termination of a contract), and beyond this, pursuant to statutory retention and documentation obligations.
In addition, the storage period must take into account the statutory limitations periods, for.
Unless expressly stated in this Privacy Notice, personal data processed by us shall be erased as soon as they are no longer required for their intended purpose and the erasure does not conflict with any statutory retention obligations.
What rights and options do you have?
- Right of access
You have the right to request confirmation from us as to whether we are processing personal data concerning you.
Where personal data concerning you are being processed, you have the right, as the data subject, to receive information from us at any time regarding the personal data stored about you and to receive a copy of the personal data concerning you which is undergoing processing. In this regard, as the data subject, you shall have the right to obtain the following information:
- The purposes of the processing;
- The categories of personal data being processed;
- The recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular in the case of recipients in third countries or international organisations;
- Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- The existence of a right to rectification or erasure of the personal data concerning you, or to restriction of processing by the Controller, or to object to such processing;
- The existence of the right to lodge a complaint with a supervisory authority;
- Any available information about the origin of the data where the personal data were not collected directly from you; and
- Where present, the existence of automated decision-making, including profiling, pursuant to Art. 22 (1) and (4) GDPR and – at least in those cases – meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Where personal data concerning you are transferred to a third country or to an international organisation, you shall also have the right to be informed of the appropriate safeguards relating to the transfer.
- Right to rectification
You shall have the right to request the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you shall also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
- Right to erasure
You shall have the right to request from TZN the erasure of personal data concerning you without undue delay where one of the following grounds applies and if no further processing is required:
- The personal data are no longer needed for the purposes for which they were collected;
- You withdraw your consent on which the processing was based and where there is no other legal ground or overriding legitimate interest for the processing;
- The personal data have been unlawfully processed;
- Erasure of the personal data is required for compliance with a legal obligation under Union or Member State law to which the Controller is subject; or
- The personal data have been collected in relation to the offer of information society services pursuant to Art. 8 (1) GDPR.
- Right to restriction of processing
You shall have the right to request from us the restriction of processing where one of the following conditions applies:
- You contest the accuracy of the personal data (the restriction shall be put in place for a period which enables the Controller to verify the accuracy of the personal data);
- The processing of your personal data was unlawful and you oppose the erasure of your personal data and request instead the restriction of their use;
- The Controller no longer requires your personal data for the purposes of the processing, but you require them for the assertion, exercise or defence of legal claims; or
- You have objected to processing of your personal data and it has not yet been determined whether the legitimate grounds of the Controller override your own.
- Right to data portability
You shall have the right to receive the personal data concerning you which you have provided to us in a structured, commonly used and machine-readable format. You shall also have the right to request that we transfer these data directly to another controller, designated by you, where this is technically feasible and does not adversely affect the rights and freedoms of others. The right to data portability may only be exercised where the basis of the processing is either your consent or a (pre)contractual necessity, and where the processing is carried out by automated means. The right to data portability does not apply to processing which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.
- Right to object
You shall have the right at any time to withdraw your consent to the processing of your personal data.
If you have objected to processing, we shall no longer process your personal data, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or unless the processing is for the assertion, exercise or defence of legal claims.
We also use your personal data for direct marketing purposes. You shall have the right to object at any time to processing for such marketing. After your objection has been raised, we shall no longer process your personal data for direct marketing purposes.
- Exercising your rights
Should you wish to exercise one or more of the above-mentioned rights, you can contact our Data Protection Officer Ing. Christian Graf, CDC at any time (see above for contact details).
With which supervisory authority may you lodge a complaint?
Pursuant to Art. 77 GDPR, you shall have the right to lodge a complaint with the competent supervisory authority.
Are personal data processed for purposes other than those for which the personal data were collected?
As a general principle, we only process data for the purposes for which they were collected.
In exceptional cases, however, we may process personal data which we have collected for one specific purpose for another purpose. In this case, we will inform you before the intended processing about the purpose, the period for which your personal data will be stored, the exercise of data subject rights, the option to withdraw consent, the existence of the right to lodge a complaint with the data protection authority, whether provision of the data was necessary on legal or contractual grounds and what the consequences would be if it were not provided, and whether automated decision-making or profiling is carried out.
What types of personal data are processed?
We process, inter alia, the following types of personal data:
- Inventory data (e.g. name, title, sex, addresses, date of birth);
- Contact data (e.g. e-mail, telephone numbers);
- Order data (e.g. bank data for payment orders);
- Image and sound data (e.g. video or telephone recordings);
- Event data (e.g. name of the event, row, seat, number of tickets, seating category, event-related specialized data);
- Content data (e.g. text input, photos, videos);
- Usage data (e.g. websites visited, interest in contents, times of access);
- Meta/communication data (e.g. IP addresses, device information, Geo IP-Location); and
- Advertising and sales data.
We stress that we process personal data only to the extent necessary. In individual cases, therefore, less than the above data may suffice.
We send newsletters, e-mails and other electronic notifications for advertising purposes and to announce news (hereinafter “newsletter”) only with your consent, which is recorded during registration, or where there is a legal basis to do so.
You may unsubscribe from our newsletter, i.e. withdraw your consent, at any time via unsubscribe option available in your customer panel. You will also find a link to unsubscribe at the end of each newsletter. Please note that we will continue to process your personal data until you withdraw your consent, so that we can prove consent previously given to receive newsletters. The processing of these data is limited to the purpose of a possible defence against claims. You shall have the right to request the erasure of your personal data.
If you contact us (e.g. by contact form, e-mail, telephone or via social media), your details will be processed for the purpose of handling and processing the contact request. Your personal data may be stored in a customer relationship management system or a similar organisational tool.
We will erase the contact requests, and your personal data provided to us in them, if their storage is no longer necessary.
Online presence in social media
We maintain an internet presence on social media and platforms (Facebook) in order to communicate with active customers, prospective customers and users and inform them about our services. When you access the respective networks and platforms, the general terms and conditions and data privacy policies of the respective platform operators apply additionally.
Unless otherwise stated in our Privacy Notice, we process the personal data of users who communicate with us within social networks and platforms, e.g. post articles on our websites or send us messages.
How are my data protected?
We take the protection of your personal data very seriously and implement appropriate technical and organisational measures to protect you against unauthorised or illegal processing of your personal data, and against accidental loss, destruction or damage.
How will I find out about changes to this Privacy Notice?
We, TZN are committed to upholding the principles of privacy and data protection. For this reason, we regularly review our Privacy Notice. This is to ensure that it is correct and clearly displayed on our website, contains appropriate information about your rights and our processing activities and is implemented in accordance with applicable law and thus complies with data protection requirements. We update this Privacy Notice when required, in order to take current circumstances into account. In the event that we make significant changes to this Privacy Notice, we will notify you on our website and provide you with the updated version of the Privacy Notice.
Cookies, analysis tools and co
General information regarding cookies
Cookies are used to optimise our website and range of products and services. These are usually what are known as “session cookies”, which are deleted after your visit.
However, some of these cookies also provide information which is used to recognise you automatically next time you visit the website. For this purpose, many cookies contain what is known as a cookie ID. A cookie ID is a unique identifier of the cookie. It consists of a string of characters that websites and servers associate with the specific internet browser in which the cookie was stored. This allows websites and servers to distinguish the individual browser of the data subject from other internet browsers that contain other cookies. A specific internet browser can be recognised and identified via the unique cookie ID. However, a person cannot be identified via this cookie. There may be exceptions for individual analysis tools, which are explained below. Using cookies also makes it possible to provide more user-friendly services to users of this website.
The online shop remembers the articles that a customer has placed in the virtual shopping basket via a cookie.
The data subject can prevent the setting of cookies through our website at any time by means of an appropriate setting in the internet browser used and may thus permanently object to the setting of cookies. Cookies which have already been set can also be deleted at any time via the internet browser or other software programs. This can be done in all commonly used internet browsers. If the setting of cookies is disabled in the internet browser used, not all functions of our website may be fully usable.
The tracking tools we use are explained in detail below. In addition to the opt-out options described there, web tracking can be enabled and disabled for most providers at http://www.youronlinechoices.eu.
Privacy notice for the use of Google Analytics (with anonymisation feature)
We have integrated the Google Analytics component (with the anonymisation feature) into this website. Google Analytics is a web analytics service. Web analytics is the collection, compilation and analysis of data regarding the behaviour of visitors to websites. A web analytics service collects, amongst other things, data on the website the data subject has come from (known as the referrer), which sub-pages were accessed, or how often and for how long a sub-page was viewed. Web analytics are used mainly for the optimisation of a website and for cost-benefit analysis for internet advertising.
The Google Analytics module is operated by Google LLC (“Google”), 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
For web analytics via Google Analytics, we use the “_gat._anonymizeIp” add-on. With the aid of this add-on, the IP address of the data subject’s internet connection is truncated and anonymised by Google when our web pages are accessed from a European Union Member State or from another signatory state of the Agreement on the European Economic Area.
The purpose of the Google Analytics module is to analyse visitor traffic on our website. Google uses the data and information collected, amongst other purposes, to evaluate the use of our website, to compile online activity reports for our websites for us, and to provide other services in connection with the use of our website.
Google Analytics sets a cookie on the data subject’s IT system. The definition of cookies has already been explained above. By setting the cookie, Google is able to analyse the use of our website. Each time the browser uses the integrated Google Analytics component to access one of the individual pages of this website operated by us, the internet browser on the data subject’s IT system is automatically prompted by the Google Analytics component to transfer data to Google for the purpose of online analysis.
As explained above, the data subject can prevent the setting of cookies through our website at any time by means of an appropriate setting in the internet browser used and may thus permanently object to the setting of cookies. Setting the internet browser in such a way would also prevent Google from setting a cookie on the data subject’s IT system. Cookies already set by Google Analytics can also be deleted at any time via the internet browser or other software programs.
When visiting our website, we may analyse and document how you use our website, e.g. number of website visitors, your surfing behaviour on our website, which events and areas on our website you are interested in, origin of website visitors, and, if you purchase a ticket from us, your order and shopping cart data. For this purpose, we process the following personal data:
- IP address
- UU ID
- WEB ID
- Device Fingerprints
- Browser Fingerprints
- Geo IP-location
We process your personal data in order to improve our website, as well as our products and services on the basis of this analysis, and to show you individual recommendations for our products and services when visiting our website.