Privacy policy

This document, the Privacy Policy, regulates the way we process personal data of website users (“Website”).
The protection of your personal data in the course of our business is of utmost importance to us. That is why we offer safe use of our online services, respecting the right to privacy and protection of personal data.
In accordance with Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and the free movement of such data (“GDPR”) and Act No. 506/2004 on the processing of personal data and the protection of privacy in the electronic communication industry, as amended and supplemented, our company is obliged to process personal data in accordance with the rules of processing, only for the purposes indicated below and maintaining security.

Processing rules

We process personal data of website users in accordance with the following principles:

  1. Personal data is processed in a lawful, fair and transparent manner for users.
  2. Personal data is collected only for specific, explicit and lawful purposes and may not be processed in a manner incompatible with these purposes.
  3. Personal data must be adequate, relevant and not exceed the purposes for which they were collected or for which they are further processed.
  4. Personal data must be accurate and, where necessary, kept up to date; every possible effort should be made to remove or rectify incorrect, incomplete data, taking into account the purposes for which they were collected or for which they are processed.
  5. Personal data are not stored longer than necessary for the purposes for which they were collected or for which they are further processed.
  6. Personal data will be processed in a safe manner, ensuring a level of protection against illegal or unauthorized access, as well as against destruction or damage. We ensure the protection of the privacy of personal data of Website users in accordance with the requirements of the GDPR.
  7. It is necessary to demonstrate compliance with the principles set out in point a-f above, for which purpose you should document the rules and requirements for the processing of personal data.

Purposes of processing

We will only process personal data that is appropriate, relevant and absolutely necessary for the indicated processing purposes. Personal data is processed for the following purposes, which we will always present in a clear and unambiguous manner, in principle through Notifications or other means used to provide information to users (e.g. through posters, symbols, etc.):

  1. to contact you for information purposes (i.e. non-marketing information),
  2. to create and analyze your profiles in order to present you with content tailored to your preferences and to improve our services,
  3. to carry out marketing and general advertising activities as well as loyalty activities and surveys,
  4. in order to carry out activities of an economic, financial and/or administrative and management nature,
  5. to centralize our activities and maintain an internal database that stores information about you, enabling us to access such information for the purpose of using it (i.e. the use of this data includes its processing by our internal applications as part of our business),
  6. to perform internal analyzes (including statistical analyzes, preparing reports) on the client portfolio,
    improving and developing services, and conducting market research and analyzes enabling the improvement and development of our services, as well as the services of the NEPI Rockcastle Group and its Partners,
  7. for archiving, resolving disputes, conducting investigations or for other applications/claims to
    which we are a party, as well as to conduct risk assessment of our procedures and processes as well
    as inspections and investigations in our company,
  8. to ensure a high level of security both in terms of computer systems (e.g. applications, networks,
    infrastructure, website) and in physical locations,
  9. to provide users with support services upon their request.

Access to information

Each time we receive personal data from you or other entities, we will inform you about all issues regarding:

  1. identity and contact details of the operator and personal data inspector,
  2. the type of data,
  3. the purposes of processing,
  4. grounds for processing,
  5. the need to process on the basis of a legal provision/performance of a contract and the consequences of your refusal,
  6. categories of recipients to whom we transfer your personal data,
  7. whether we transfer this data to third countries,
  8. the period of storage of such data by us and
  9. your rights with regard to the processing of your personal data.

This information will be made available through Notifications or other channels that we use for this purpose (e.g. posters, symbols, etc.)

Access to your data

Access to your data will be granted only to those persons or entities with whom we cooperate for the purposes of processing (new or planned recipients) for whom we are able to demonstrate a legitimate interest in accordance with the provisions of the GDPR or to whom we have to disclose data on the basis of a legal obligation imposed on us.
The following entities and their employees have access to your data:

  1. IT service providers (e.g. software maintenance and development, website maintenance and development),
  2. market research providers, providers of services we use to provide commercial information, providers of traffic monitoring services and the behavior of users of internet tools, providers dealing with the individual customization of commercial information, providers of marketing services via social media, providers of marketing content,
  3. Companies from the Nepi Rockcastle Group (the “Group”),

We will oblige the above entities and their employees to respect the confidentiality of such data and to ensure a high level of protection of user data processing.
We will also share your personal data with judicial authorities, public institutions or central or local government authorities based on a duly justified request or legal obligation.

Security of personal data

We will use all security measures necessary to protect personal data transferred, stored or otherwise processed against destruction, loss, unlawful or accidental damage, unauthorized disclosure or access, and against other unlawful processing. The safeguards we implement regarding the personal data of users are able to ensure the confidentiality, integrity, availability and durability of processing systems and services as well as the ability to efficiently restore the availability and access to personal data after a physical or technical incident.

In the cases provided for by the GDPR, in the event of a breach of personal data protection, we will duly notify the competent authorities and the persons concerned.

Correctness of personal data

We process personal data that is correct and we have an updated procedure for this purpose. Therefore, we take all necessary steps to ensure that personal data inaccurate in the light of the purposes of the processing are immediately deleted or rectified.

Retention period

Personal data is processed and stored for the necessary period for which we provide access to the website.

Your rights

As users of the Website, you have the following rights that you may exercise individually or in combination with regard to the data we hold about you:

  1. The right to access data – you can request confirmation as to whether your personal data is processed by us or not, and if so, you can request access to it and specific information on this subject. On request, we also issue a copy of the processed personal data. Additional copies will be issued on the basis of a request for a fee, in accordance with the actual cost incurred by us,
  2. The right to rectify data – you have the right to rectify incorrect personal data and supplement incomplete personal data, including by providing additional information.
  3. The right to delete data (“the right to be forgotten”) – in situations expressly provided for by law, you can obtain from us the option to delete data. Thus, the user may request the deletion of personal data if:
    • personal data are no longer necessary for the purposes for which they were collected or otherwise
      processed;
    • you withdraw the consent on the basis of which the processing is based;
    • you object to the processing in accordance with the right to object;
    • the processing of your personal data is unlawful;
    • data must be deleted in accordance with the legal obligation that is imposed on us.
  4. The right to limit portability – you may request the restriction of the processing of personal data in certain situations provided for by law, e.g. if:
    • you contest the accuracy of your data while the accuracy of the data in question is checked;
    • the processing is unlawful, but you object to the deletion of the data;
    • these data are necessary for you to establish, assert or protect your rights in court, and we no longer need this data;
    • you have objected to the processing of your personal data – for the time we check that our legitimate
      interest does not override your rights and freedoms.

    In such situations, except for storage, the data will no longer be processed.

  5. The right to object to the processing of personal data – you may at any time, for reasons related to your particular situation, object to the processing (including profiling) of your personal data based on our legitimate interest or – where applicable – based on the performance of a task that is in the public interest or resulting from an obligation imposed on us by a public authority,
    Marketing materials sent electronically may contain brief information on the possibility of objecting to the processing of personal data for the purpose of sending commercial information. If you object to the processing of personal data for the purposes of sending commercial information, your personal data will no longer be processed for these purposes.
    The right to object to the sending of commercial information by us applies when the processing of personal data for the purpose of sending commercial information is based on (i) our legitimate interest or (ii) an existing contractual relationship with us and concerns products similar to those that have already been covered by the contract, and not based on the consent granted.
  6. The right to data transferring – you can receive your personal data in a structured machine-readable format and request the transfer of data to another operator. This right only applies to personal data provided by you directly to us and only applies if the processing of personal data is automated and based on the legal basis, which is the performance of a contract or the consent of the person.
  7. The right to lodge a complaint – you can lodge a complaint about the way we process your personal data. The complaint should be submitted to the President of the Office for Personal Data Protection.
  8. The right to withdraw consent – you may withdraw your consent to the processing of personal data by us at any time when the processing is based on the consent granted. Withdrawal of consent has effect only for the future and does not affect the processing carried out until consent is withdrawn.
  9. Additional rights related to automated decision making when providing services – if we use automated decision making regarding personal data and these decisions significantly affect you, you have the right to (a) obtain human intervention in relation to such decision, (b) expressing your opinion on such processing, (c) receiving an explanation of the decision taken, and (d) contesting the decision.

The above rights (except for the right to lodge a complaint to the President of the Personal Data Protection Office) may be exercised individually or collectively by sending a letter/message as follows:

  • by letter to the following address: BIAŁYSTOK PROPERTY SP. Z O. O. Piękna 18, 00-549 Warsaw, Poland;
  • by e-mail to the following e-mail address: Data.Protection@nepirockcastle.com.

In addition, a Data Protection Officer (“DPO”) has been appointed at the Group level, who can be contacted in case of any concerns regarding the protection of personal data and the exercise of data protection rights. You can contact the DPO by means of a written, dated and signed request using the contact details listed above.

Privacy policy and other documents regarding the processing of personal data

This Privacy Policy is a general framework that reflects the principles of personal data processing in our company.
During each visit to our website (“Website”), we process the following personal data: IP address, browser type, type of computer and operating system used, date and time of entry and location.
As a result of using the Website, we place cookies or other similar technologies on your computer to enable you to use the services of our Website easily and efficiently and to provide, protect and improve the functions of our Website. More information on cookies can be found in the Cookie Policy available on our website in the “Cookies” section.

Changes to the Privacy Policy

This Privacy Policy was last updated on November 26, 2018.
We reserve the right to update and change this Privacy Policy at any time. Additional information will be included in an updated document available on our website. Therefore, when visiting the Website, you should check the Privacy Policy tab, as it may have changed since your last visit. If you have any questions about the information on this page, please contact us at data.protection@nepirockcastle.com