Personal Data Controller (PDC): “MSERWIS” (the specification of the entity’s data is provided at the end of the document)
Ladies and Gentlemen,
on 25 May 2018, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, the so-called GDPR) enters into force.
This European law, which will be applicable directly in all EU countries from 25 May 2018, governs the handling of personal data across Europe. It concerns, among other things, protecting information about you.
It should be remembered, however, that the GDPR is not intended to block the flow of personal data. On the contrary, this information is needed, for example, to enable us to conclude an agreement with you or to send you our offer. Owing to the GDPR, however, you will have more control over who processes your personal data and how.
In the context of the entry into force of the GDPR, certain information obligations have arisen on our part, which we hereby meet by providing you with the information required by the GDPR.
Within the meaning of the GDPR, MSERWIS can process your personal data by acting in two roles, sometimes simultaneously with the same data:
domains With regard to Internet domain registration, your personal data are processed primarily by a given Registry in which the domain is registered. In order to maintain the domain in the Registry, as the Personal Data Controller, the data are processed by the Registry. In this respect, MSERWIS is only a Processor on behalf of a given Controller. In this regard, the information obligations are directly imposed on the Controller.
hosting The specific nature of hosting services should also be taken into account, as part of which, with regard to the data processed by the MSERWIS’s Customer who uses the hosting service, the controller of the data processed using the hosting service is the MSERWIS’s Customer who purchased such a service. In relation to these data, MSERWIS is only, at the most, a personal data Processor within the meaning of the GDPR. In the context of the exclusion of the hosting provider's liability for stored data, one should also bear in mind Articles 14 and 15 of the Act of 18 July 2002 on the provision of services by electronic means (Journal of Laws of 2002, No. 144, item 1204, also abbreviated to UŚUDE). Of course, this does not affected the fact that MSERWIS has adjusted all its services to the standards required by the GDPR and, if necessary, as a Processor, will conclude with you a personal data processing outsourcing agreement, in accordance with the GDPR.
At the same time, in terms of processing the data of the Customer who purchased the hosting service, MSERWIS acts as the Personal Data Controller and processes the data of the recipient for the purpose of performing the agreement.
At the same time, MSERWIS processes data to perform the agreement, charge fees for its services, and provide technical support – technical assistance.
➔The legal basis for the processing of personal data is as follows:
Article 6(1)(b) GDPR - processing is necessary for the performance of the agreement to which the data subject is a party or to take action at the request of the data subject, prior to the conclusion of the agreement;
➔The data processed are as follows:
MSERWIS:
Domain REGISTRIES typically require at least the same set of data.
The telephone number is often optional, but we require it for technical reasons and in order to be able to contact the customer, e.g. to remind him of the service that is expiring.
Additional data required by some REGISTRIES, e.g.
MSERWIS also processes your data in order to promote its own products or Trusted Partners and to better adapt services to your preferences.
➔The legal basis for the processing of personal data is as follows:
Article 6(1)(f) GDPR – Processing is necessary for the purposes resulting from the legitimate interests pursued by the controller or by a third party, except where the interests or fundamental rights and freedoms of the data subject, requiring the protection of personal data, override such interests, in particular when the data subject is a child.
➔The data processed are as follows:
MSERWIS:
Domain REGISTRIES typically require at least the same set of data.
The telephone number is often optional, but we require it for technical reasons and in order to be able to contact the customer, e.g. to remind him of the service that is expiring.
Additional data required by some REGISTRIES, e.g.
The above data, together with other “technical” data obtained during the use of the services, including the websites administered by MSERWIS, may be used to profile user preferences, in accordance with the concept of functionality of such services / websites (this includes Customer preferences). These data may also be used for marketing purposes pursuant to Article 6(1)(f) GDPR (e.g. marketing of own services or trusted partners in connection with the preferences determined on the basis of profiling).
Your personal data will usually be processed throughout the performance of the agreement – for the purpose of performance of the agreement (Article 6(1)(b) GDPR), as well as for the purposes resulting from the legally justified interests pursued by the Controller or by a third party (Article 6(1)(f) GDPR).
After the performance / termination of the agreement, the data will be further processed – however, for archiving purposes, pursuant to Article 74 of the Accounting Act of 29 September 1994 (Article 6(1)(c) GDPR).
Your personal data may be transferred to other entities for the purpose of performing the agreement / service (Article 6(1)(b) GDPR), as well as for the purposes specified in Article 6(1)(f) GDPR.
The Controller declares that it does not transfer the Data to a third country or an international organisation (i.e. outside the European Economic Area (“EEA”), except in situations which arise from the nature of a specific service (e.g. when the REGISTRY is located in a third country or is maintained by an international organisation).
The Controller also declares that it does not use subcontractors that transfer data outside the EEA, unless such necessity is due to the nature or specific nature of a given service.
Should it be necessary to use subcontractors or partners from outside the EEA, the Controller declares that by means of appropriate agreements it ensures that such third parties meet the level of protection for the processed data adequate to that resulting from the requirements set by the GDPR for the EEA.
The Controller may disclose personal data only to entities authorised to obtain them on the basis of legal regulations and/or relevant agreements, including personal data processing outsourcing agreements.
In particular, your personal data may be transferred to entities processing personal data on behalf of the Controller, including IT service providers, hosting services providers, billing agents (e.g. electronic payments), etc. Your data are also transferred to REGISTERS for the purpose of the performance of agreements – registration and renewal of domains.
Moreover, the Controller may transfer your data to processors, trusted Marketing Partners / marketing agencies, where such entities process the data on the basis of an agreement with the Controller and the transfer of such data is subject to security measures and control by the Controller as the a personal data controller.
Processing of personal data for marketing purposes takes place either on the basis of a relevant consent (Article 6(1)(a) GDPR), or in connection with the existence of legal grounds other than consent – e.g. Article 6(1)(f) GDPR.
The often misused consent to the processing of personal data is only one of many possible legal grounds for the processing of personal data. There are many other legal grounds for processing personal data, other than the consent of the persons whose data will be processed. In particular, personal data may be processed for the performance of an agreement or, for example, where the processing is necessary for the purposes of a legitimate interest pursued by the controller or by a third party. Legal grounds for the processing of personal data are regulated in Article 6 GDPR.
To the extent that the processing of your personal data takes place in order to conclude and perform an agreement with the Controller, providing the data is necessary to conclude an agreement. Providing personal data is voluntary, however, without provision thereof it is not possible to conclude and implement an agreement. Providing personal data for marketing purposes is voluntary, although processing personal data for marketing purposes may also take place on the basis of a legal basis other than consent – e.g. on the basis of Article 6(1)(f) GDPR.
Pursuant to Article 17 GDPR, you have the right to demand the deletion of data. The Controller guarantees this right and makes it easier for you to exercise it, e.g. by means of an appropriate option in the administration panel of domains, where you can automatically execute it.
“MSERWIS” (PDC): DOMENY.TV MSERWIS Sp. z o.o., based at Stacyjna 1/63, 53-613 Wrocław, Poland, entered into National Court Register
under number KRS 0001090436, EUVAT 8971849179, REGON 368943222.
E-mail address: info (at) dotinum.com
Contact form: https://dotinum.com/#contact