Privacy policy of the Integer.pl S.A. capital group companies

valid from June 14, 2018 (as version No. 1.1)

The protection of your personal data is very important to us. When providing postal services, we are required to maintain postal secrecy, which includes, among others things, information provided in postal items, data on entities using postal services, and data on the fact and circumstances of providing postal services or using these services. In addition, information or data covered by postal secrecy may be collected, recorded, stored, developed, changed, deleted, or made available only if these activities relate to the postal service provided or are necessary for its performance or if separate provisions provide otherwise.

In many cases, your personal data within the meaning of generally applicable law is also covered by postal secrecy. This document is intended to provide you with the necessary information on how we process your personal data and what your rights are in relation to the processing of your personal data.

Who is the administrator of your personal data?

The administrator of your data is, depending on the type of service performed, a relevant company with capital links to Integer.pl S.A. (a list of these entities is available at: https://integer.pl/pl/grupa-kapitalowa-integer-pl/profil-dzialalnosci - hereinafter we will refer to these entities collectively as "InPost") or an external entity who provided data to InPost for the purpose of having the service performed, in particular:

  • If you are a natural person sending your parcel as part of the postal or transport services provided through InPost parcel lockers - the administrator of your data is InPost Paczkomaty sp. z o.o., with its registered office at ul. Wielicka 28, 30-552 Kraków.
  • If you are a natural person sending your parcel as part of courier services provided by InPost - the administrator of your data is InPost sp. z o.o., with its registered office at ul. Wielicka 28, 30-552 Kraków.
  • In the event that you commission an external entity to perform services on a parcel to be sent via the courier network of InPost sp. z o.o. or Parcel Lockers belonging to InPost Paczkomaty Sp. z o.o. (e.g. if you order goods in an on-line store, providing your data for delivery) - the administrator of your personal data is this external entity (e.g. on-line store), which commissioned InPost to perform the service on the shipment as its sender.

Whenever you consent to the processing of your personal data, you will be informed before expressing that consent which company among InPost companies is the administrator of your personal data.

What personal data do we process?

As part of the services provided by InPost, we process the following personal data:

  • name and surname of the sender (including the payer) and the recipient (addressee) of the shipment,
  • the sender's address (street, house number, apartment number, zip/postal code, city),
  • the recipient's address (street, house number, apartment number, zip/postal code, city),
  • a new delivery address if, after posting, the sender asks InPost to deliver it to a new address, or InPost establishes a different delivery address with the recipient before delivery (the new address includes data in the form of street address, house number, apartment number, zip/postal code, and city),
  • the e-mail address of the sender and recipient of the shipment, which is processed to send messages regarding the performance of the service, in particular information on the current delivery status of the parcel, or information enabling collection of the parcel from a Parcel Locker,
  • the telephone number of the sender and recipient of the parcel for direct contact or sending messages regarding the performance of the service, in particular contact to determine another place of delivery of the parcel, or information enabling collection of the parcel from a Parcel Locker,
  • depending on the service, we can also process the bank account number necessary to transfer the collected cash (as part of the collection service, so-called cash on delivery) to the person indicated by the sender, as well as information enabling to identify payments or top-ups of accounts related to services we offer as pre-paid,
  • the IP addresses of people using our systems to purchase the services we provide.

We process the above data for the purpose and scope necessary to perform the services provided by InPost and to comply with InPost's legal obligations, including consideration of complaints submitted in relation to these services.
In addition, as part of marketing communications or to process your questions and requests, e.g. business inquiries (with your prior consent), we may process your personal data that you provided to us when expressing the above consent.

Providing personal data is voluntary, but necessary for the performance of services provided by InPost or for the consideration and possible implementation of the applications you send to us. The requirement to provide this data is a contractual requirement, while for data provided as part of complaints submitted to us for non-performance or improper performance of postal and transport services, this is also a statutory requirement (specified in the implementing provisions of Postal Law and Transport Law).

In addition, due to the fact that - for the purposes of security and protection of you and your parcels, in particular against theft and vandalism - we use InPost parcel locker monitoring, which may record your image, we also process this type of personal data. This processing of your data is therefore necessary not only to protect our legitimate interests, but also to protect your interests, and in the event that such a recording captured a crime being committed, this processing is also necessary to fulfill our obligation, which arises in particular from art. 81 of the Postal Law Act (Dz.U.2017.1481 i.e. ze zm.) and art. 304 of the Code of Criminal Procedure (Dz.U.2017.1904 t.j. ze zm.). We store recordings in a manner that ensures the security of their processing (we cover how we secure your personal data below in the chapter "How do we process your personal data?"), for up to one month from the date of recording.

How do we receive your personal data?

We receive your personal data directly from you or the sender (including the payer) of the parcel which is sent by ordering InPost to perform the service on such a parcel. Data can therefore be received by InPost in the following circumstances:

  • if you give us your Shipment to be delivered to a person indicated by you or to the place indicated,
  • when our clients (e.g. on-line stores) provide us with your data to allow delivery of shipments to you,
  • in the event that you lodge a complaint with us for failure to perform or improper performance of the services we provide, or when your data is provided by a person authorized to make such a complaint, for example our customer who sent you a parcel and then lodged a complaint with InPost for non-performance or improper performance of the service regarding this shipment,
  • if you submit to us another inquiry regarding the services provided by InPost or InPost's activities,
  • if you provide InPost with your data to receive an InPost commercial offer,
  • if you provide InPost with your data to create an account in the InPost IT system, which allows you to purchase the services we offer,
  • if you provide your data - only with your consent - for the purpose of processing them for the purposes of marketing InPost products and services, as well as those offered by entities cooperating with InPost, which will be done by InPost or independently by these entities.

For what purposes do we process your personal data?

The purpose of processing your personal data is specified in particular in the relevant contract or InPost Terms and Conditions, on the basis of which we provide services to you or have access to your personal data, or directly when you consent to the processing of your personal data. These purposes may include:

  • providing postal or transport services to you, as well as services accompanying these services, including delivery of a shipment you have sent or delivery to you,
  • the need to fulfill tax, legal, and accounting obligations by InPost,
  • providing you with marketing information and materials for the purpose of providing you with our offer (this is optional and requires your consent to receiving this type of information).
  • analysis, including personalization, solely for the purposes of optimizing processes in the provision of our services and improving them.

How long do we store your personal data?

We store your personal data no longer than necessary. In particular, we store this data for the time necessary for the proper performance of the services we provide, and after this period no longer than until the expiry of the limitation period for claims that may be raised in connection with the provision of these services. The duration of storing personal data is specified in our Terms and Conditions for the provision of services, data processing entrustment agreements (then this time is binding to the Parties to these contracts), the content of your consents to the processing of your personal data, and if it is not specified in these Terms and Conditions or contracts, we store your personal data for the following periods:

  • if you have an account in our systems that allow you to purchase the services we provide, and you order these services as the sender (including the payer), as well as if you do not have such an account, but use our services as the sender (including the payer), we store your personal data for a maximum period of 6 years from the day you sent the parcel,
  • if you are the recipient of a shipment, we store your personal data for a maximum period of 18 months, counting from the date of posting the shipment, and after this time we can store this data for no longer than the period of limitation of any claims relating to the provision of services, resulting from commonly applicable law,
  • if you file a complaint about the services provided by InPost, we process your personal data contained in the complaint for the time necessary to consider the complaint, and after this time we can store it for no longer than the period of limitation of any claims relating to the complaint arising from generally applicable law,
  • if you submit another application or inquiry to us, we store your personal data for the period of service and possible implementation of your application, and after this period we can store it for a period not exceeding the period of possible limitation of claims resulting from generally applicable law,
  • if the period of storage of your personal data results from mandatory provisions of law, we store your personal data for the period specified in these provisions.

Why do we store your data for such a period of time?

Because InPost has to comply with obligations arising from the provisions of generally applicable law, in particular in the field of:

  • implementation of postal law, transport law, tax and accounting regulations,
  • to the extent that the processing of personal data is necessary for purposes arising from legitimate interests pursued by InPost, in the form of matters related to the pursuit of claims arising from the provision of services by InPost,
  • continuous improvement of security, including in particular the prevention of fraud,
  • other legal obligations imposed on InPost.

How do we process your personal data?

In the field of postal and transport services provided by InPost, we process your personal data:

  • in electronic form in InPost IT systems and those of InPost subcontractors, to the extent necessary for the proper performance of services provided by InPost, also in an automated manner,
  • in physical form (e.g. in written form), to the extent necessary for the proper performance of the services provided by InPost, in particular as printouts on shipping labels generated from InPost's IT systems, which are attached to the parcel.

When processing your personal data, we use safeguards appropriate to the type, amount, and scope of personal data processed, as well as appropriate organizational and technical measures to best protect your personal data against unauthorized activities.

Realizing the importance of protecting your personal data, we use, among others:

  • encrypting your data using SSL (Secure Sockets Layer) during transmission,
  • in certain cases, anonymisation, pseudonymisation, and encryption of your personal data
  • other hardware, network, and system security, such as: firewalls, licensed hardware, and network anti-virus software, controlled access through a secured VPN, and many other IT security measures,
  • electronic and physical mechanisms for controlling access of people to buildings and rooms in which your personal data is processed (e.g. magnetic and electronic keys, security locks, monitoring),
  • other safeguards that are designed to protect your personal data.

What are the contact details of the Personal Data Administrator and the person responsible for the protection of personal data?

InPost's contact details: ul. Wielicka 28, 30-552 Kraków. Contact with the person responsible for the protection of personal data at InPost is possible at the following e-mail address: dane_osobowe@grupainteger.pl, or by traditional correspondence to the above address.

If you have any questions or concerns regarding the protection of your personal data, you can contact us via the email address: dane_osobowe@grupainteger.pl.

What are the legal grounds for processing your personal data by InPost?

InPost processes your personal data in particular to perform the postal and transport services it offers. These services are performed on the basis of contracts, including contracts concluded with senders. We cannot perform these services without processing personal data (e.g. without knowing the delivery address for a parcel and its addressee, we are not able to deliver it), nor other services to which we have committed. The processing of your personal data is also necessary to fulfill our legal obligations. One of these obligations is the one specified in art. 81 of the Postal Law Act (Dz.U.2017.1481 i.e. z późn. zm.) - in accordance with this law, InPost, acting as a postal operator, is obliged to perform tasks and obligations for defence, state security, as well as public safety and order in the scope and under the conditions specified in the Postal Law Act and separate provisions.

We also process your personal data for purposes arising from our legitimate interests - by 'legitimate interest' we understand the lawful and rational purpose of data processing (e.g. direct marketing of our products or services, or pursuing claims arising from business operations). Whenever we want to process your personal data on the basis of a legitimate interest, we examine and assess whether such processing of personal data will affect you and your rights. We will not process your personal data on the basis of our "legitimate interest", if your interest or your rights and freedoms override it.

For other purposes of processing your personal data, you may withdraw your consent to the processing of your personal data for these purposes without affecting the validity of the processing of personal data before the consent is withdrawn. We obtain your consent especially for the use of your personal data for marketing purposes.

Who is the recipient of your personal data?

Pursuant to the provisions of the GDPR, the "recipient" of personal data is a natural or legal person, public authority, or other entity to whom personal data is disclosed, regardless of whether it is a third party. Your personal data is not processed exclusively by InPost and its staff. We provide our services with the help of many subcontractors, ranging from transport companies to entities that run post offices for us and issue shipments to you. Your data is therefore processed by such categories of recipients as:

  • InPost employees and associates,
  • InPost subcontractors, providing services on our behalf for receiving, moving, sorting, and delivery of shipments,
  • insurer dealing with damage to shipments,
  • subcontractors operating our IT networks and databases, creating IT solutions for us, and providing marketing services to us,
  • subcontractors servicing the InPost helpline and customer service department,
  • companies related by capital to Integer.pl S.A. (a list of these entities is available at: https://integer.pl/pl/grupa-kapitalowa-integer-pl/profil-dzialalnosci),
  • professional entities providing InPost with tax, legal, auditing, and settlement consultancy.

Is your personal data transferred to third countries, i.e. countries that do not belong to the European Economic Area?

Your personal data is transferred to third countries in the event that the services provided by InPost are also to be performed in the territory of a third country. This is the situation for example if you send a parcel via InPost to such a country. Your personal data may also be transferred to our subcontractors (e.g. entities that deliver your parcel in a third country) and entities providing InPost with tax, legal, audit, and billing advice if they operate in a third country. In each of the above cases, we secure the processing of your personal data, in particular by entering into confidentiality agreements and contracts for the processing of personal data in a manner that complies with the provisions of the law generally applicable in the European Union and Poland in the field of personal data protection, as well as on conditions that ensure the security of processing your personal data. We do not transfer your personal data to international organizations. We do not transfer your personal data to third countries if such transfer is not possible on the basis of or is excluded by generally applicable law.

Cookies

If you use our websites and systems available through these websites (in particular enabling the generation of shipping orders and other activities related to ordering postal and transport services), when browsing these pages, so-called "cookies" are created. These are small text files that are stored on your device, which you use to browse websites. They are commonly used to ensure the functioning of websites and other services provided via the Internet, and to improve and develop these pages, which is based on reading the content of these files.

InPost collects information contained in "cookies", such as the date of connection to the website or the IP address of the device from which the connection to the website takes place - this is data showing how you use our websites. This information is used for administrative and statistical purposes and to improve these pages and improve your user experience. In addition, this data, processed automatically, can be used to analyse the behaviour of these pages' content recipients (e.g. time spent on the website) or to personalize the content of websites, in particular by providing on-line advertisements.

You do not have to accept cookies (you can accept their use by selecting the appropriate button on our website, as well as by selecting the appropriate settings in your web browser), but this may cause the website to function improperly.

What are your rights regarding access to your personal data?

You have the right to demand from InPost, as the administrator of your personal data, access to your personal data, rectification, deletion, or limitation of processing, as well as the right to object to its processing, and the right to transfer the data and receive a copy.

If you have consented to the processing of your data by InPost, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing on the basis of your consent before its withdrawal.

You can exercise the above rights by submitting a relevant statement to InPost, in particular via the email address: dane_osobowe@grupainteger.pl.

You also have the right to lodge a complaint with a supervisory body (the President of the Personal Data Office or another state office obliged by law to supervise the rules of processing personal data) if you feel that we have not properly addressed our obligations.

This policy may change, in particular if it is necessary due to a change in generally applicable law or a change in the scope of services offered by InPost. The current version of the policy is available at: https://inpost.pl/en/policy.