Privacy policy

1. This Policy describes the principles of Personal Data processing on websites operated in the t-mobile.pl domain, as well as other websites operated by or on behalf of T-Mobile Polska, except for websites with separate privacy and cookie policies (hereinafter: “Websites”).
2. Since the User uses the Website, the Controller collects data to the extent necessary to provide individual services included in the offer, as well as information about the User’s activity on the Website. The detailed principles and purposes of Personal Data processing collected during the User’s use of the Website are described below.
3. The current version of the Policy is valid as of 30/05/2022.

1. Controller – T-Mobile Polska S.A. with its registered office in Warsaw, at ul. Marynarska 12, 02-674 Warsaw, hereinafter also referred to as: “T-Mobile”.
2. Personal Data – information about a natural person identified or identifiable by one or more specific factors determining the physical, physiological, genetic, mental, economic, cultural or social identity, including but not limited to device IP, location data, internet identifier as well as information collected via cookies and other similar technology.          
3. Policy – this Privacy Policy.       
4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. 
5. User – any natural person visiting the Website or using one or more services or functionalities described in the Policy.       

Contact on matters described in this Policy is available, inter alia, as follows:

• by e-mail at: iod@t-mobile.pl or
• by traditional mail at: T-Mobile Polska S.A., ul. Marynarska 12, 02-674 Warszawa.

The Controller may process Users’ Personal Data for the following purposes:

• providing electronic services in the scope of sharing the content collected on the Website to Users, as well as performing and concluding contracts between us – if this is the case, the legal basis for processing is the necessity of processing to perform the contract (legal basis: Article 6 (1) (b) of the GDPR);
• Controller’s analytical and statistical purposes – the legal basis for processing is the Controller’s legitimate interest (legal basis: Article 6 (1) (f) of the GDPR) consisting in keeping statistics and analysing the use of the services provided;
• related to ensuring the safety of users and the stability of the services provided by the Controller – the legal basis for processing is the legitimate interest of the Controller (legal basis: Article 6 (1) (f) of the GDPR) consisting in ensuring the safety of the solutions used;
• possible determination and pursuit of claims or defence against them – the legal basis for processing is the Controller’s legitimate interest (legal basis: Article 6 (1) (f) of the GDPR) consisting in the protection of its rights;
• fulfilment of the Controller’s public-law obligations – in the event of making purchases via the Website – resulting primarily from tax regulations and the Telecommunications Law Act, for the fulfilment of legal obligations incumbent on us, for the duration of their obligations, e.g. registration of subscribers of pre-paid offers and the period of data retention specified by law (legal basis: Article 6 (1) (c) of the GDPR;
• T-Mobile’s marketing purposes. These actions may include the presentation of general marketing content, as well as – with the User’s additional consent – content tailored to individual preferences and interests, including sending a newsletter. Depending on the situation, the legal basis for the Personal Data processing is the legitimate interest of the Controller (Article 6 (1) (f) of the GDPR), consisting in conducting direct marketing actions or the User’s consent (legal basis: Article 6 (1) (a) of the GDPR);
• creating analyses and statistics for our internal T-Mobile needs, such as marketing research, planning the development of services or networks, development works in IT systems, creating statistical models – for the duration of the contract, and then no longer than for the period of limitation of claims (legal basis: Article 6 (1) (f) of the GDPR);
• detecting and preventing abuse – for the duration of the contract (legal basis: performance of the contract), for the period of limitation of claims and the duration of any proceedings (legal basis: our legitimate interest); Personal Data provided by Users and obtained automatically while using the Website may also be used to ensure the security of our Websites and Users. This data may also be used to prevent fraud and other activities dangerous for the Website and Users. For the sake of avoiding fraud in our online store, we collect and use data using cookies and tracking technologies in order to determine what end device is used by the User. The collected IP addresses are anonymised. Data on devices from which fraudulent attempts have been made is stored in the database for the purpose of fraud prevention. T-Mobile accesses this data during the ordering process for risk assessment. The legal basis for Personal Data processing is the legitimate interest of the Controller (legal basis: Article 6 (1) (f) of the GDPR).        

For the purposes indicated above [except for the purposes described in Item (a), (e)], we will perform profiling, namely, automated analysis of your Data and development of predictions about preferences or future behaviours (e.g. in the case of marketing profiling, we will determine which offer you may be most interested in)

In case of sending to the Controller, via e-mail or traditional mail, correspondence not related to the services provided to the Sender or other contract concluded with it, the Personal Data contained in this correspondence is processed only for the purpose of communication and resolving the matter to which the correspondence relates.

The legal basis for processing is the legitimate interest of the Controller (Article 6 (1) (f) of the GDPR) consisting in conducting correspondence addressed to it in connection with its business activity.

The Controller processes only personal data relevant to the matter to which the correspondence relates (which, inter alia, means that the Controller has no intention of obtaining so-called data of a specific category, such as e.g. health data). All correspondence is stored in a way ensuring the security of Personal Data (and other information) contained therein, as well as it is disclosed only to authorised persons.

T-Mobile Chat is an internet service used in the sale and remote support of Users. Communication with the consultant is rendered possible thanks to the communicator application, which does not require the software installation process on the user’s device and is accessed by clicking the ‘Rozpocznij czat’ [Start chat] button.

Consultant – an employee or associate of the Controller handling correspondence with Users on its behalf – during the conversation it uses the application featuring sets of tools enabling it to have knowledge about the interlocutor (e.g. websites it has visited), facilitating communication and offering the best possible help.

If the User uses this form of contact, the Controller will process the data for the following purposes:

• handling the inquiry sent – the legal basis for processing is the legitimate interest of T-Mobile (Article 6 (1) (f) of the GDPR), consisting in handling correspondence related to TMPL’s activities and the possibility of settling the matter initiated by the User;       
• Controller’s analytical and statistical purposes – the legal basis for processing is the Controller’s legitimate interest (Article 6 (1) (f) of the GDPR) consisting in keeping statistics and analysing the use of the services provided;       
• possible determination and pursuit of claims or defence against them – the legal basis for processing is the Controller’s legitimate interest (Article 6 (1) (f) of the GDPR) consisting in the protection of its rights;       
• if the User has decided to provide feedback on the conversation in order to assess the quality of handling inquiries by the Consultant – the legal basis for processing is the legitimate interest of the Controller (Article 6 (1) (f) of the GDPR) consisting in improving the quality of services provided.       

The User may download the record of the chat conversation with the Consultant.

In the event of contacting the Controller by phone, in matters not related to the concluded contract or services provided, the Controller may request Personal Data when it is necessary to handle the matter to which the contact relates. If this is the case, the legal basis is the legitimate interest of the Controller (Article 6 (1) (f) of the GDPR) consisting in the need to resolve the reported matter related to its business activity.

To facilitate contact, the Controller also provides the ‘Porozmawiamy?’ [Shall we talk?] form, which allows for conducting a conversation on the topic selected by the User. If this is the case, the legal basis for data processing is the legitimate interest of the Controller (Article 6 (1) (f) of the GDPR). Please be advised to remember that during the conversation, the User may be presented with commercial information.

As part of the ‘Kariera’ [Career] tab, the Controller provides information about its employment policy, as well as about recruitment processes. Furthermore, it is also possible to apply from the level of a specific announcement, after prior registration of an account on the Website.

Depending on the choice made by the User, Personal Data sent for recruitment purposes may be processed by the following entities:

• all entities from the Deutsche Telekom group, including entities located outside the European Economic Area;
• another entity from the Deutsche Telekom group for whose announcement a nomination is sent;
• only by the Controller.

In the cases indicated in Items (a) and (b) above, each and every entity from the Deutsche Telekom group is a separate data controller within the meaning of the GDPR.

If the User decides to participate in the recruitment process conducted by the Controller, it is a must to point out that the Controller expects candidates to provide Personal Data (e.g. in a CV or personal background) only to the extent specified in the provisions of the labour law (or provisions indicated in the announcement). Accordingly, the broader scope of the information should not be provided. If the submitted applications contain additional personal data, this data will not be used or taken into account in the recruitment process, unless the candidate consents to the processing of such data.

Users’ Personal Data will be processed:

• to fulfil the obligations arising from legal provisions related to the employment process, including, in particular, the Labor Code – the legal basis for processing is the legal obligation incumbent on the Controller (Article 6 (1) (c) of the GDPR in conjunction with the provisions of the Labour Code) – or in the case of employment offered on the basis of a civil law contract;
• to conclude and perform a civil law contract with the employed person on a basis other than an employment contract – the legal basis for processing is the necessity to conclude and perform the contract (Article 6 (1) (b) of the GDPR);
• to carry out the recruitment process in the field of data not required by law – the legal basis for processing is consent (Article 6 (1) (a) of the GDPR);
• to establish or pursue possible claims or defend against such claims – the legal basis for data processing is the legitimate interest of the Controller (Article 6 (1) (f) of the GDPR), consisting in the possibility of establishing and pursuing claims or defending against claims against the Controller.

The User may subscribe to the newsletter voluntarily. Subscribing to the newsletter by the User entails its Personal Data being processed by T-Mobile, in particular the processing of the e-mail address. If the User consents to the foregoing, we may combine its e-mail address with the information collected by cookies from the browser/device, in order to better match the offer to the User’s preferences (more information on cookies is provided in the Chapter entitled Cookies and tracking technologies).

Personal data will be processed on the basis of the User’s consent (Article 6 (1) (a) of the GDPR).

By subscribing to the newsletter, the User consents to receive commercial and marketing information from T-Mobile.

The consent may be withdrawn at any time.

Some offer pages contain buttons for social networks (such as Facebook, Google, Instagram, Twitter, Pinterest, Xing or LinkedIn) by which you can recommend T-Mobile offers to your friends.

We use pictograms of the relevant social media network on our Websites. You will be redirected to the company’s website on the relevant social media platform after clicking on the pictogram. Social media platforms and third-party content providers, that can be reached via the pictograms, provide these services and the processing of their data on their own responsibility. Information on the principles of Personal Data processing by these companies is available in their privacy policies.

By activating a plug-in or link to social media via the pictogram, you shall consent to the sharing of content (Article 6 (1) (a) of the GDPR). The following data may be transferred to the social media provider: IP address, browser information, operating system, screen resolution, installed browser plug-ins such as Adobe Flash Player, the previous website if you clicked on the link, the URL of the current website, etc.

The Controller processes the Personal Data of Users visiting the Controller’s profiles in social media (Facebook, Linkedin, YouTube, Twitter). Therefore, it processes data that are left by visitors to these profiles (including comments, likes, online identifiers).

Personal Data of such persons is processed:

• to enable them to be active on profiles;
• to effectively run profiles, by presenting users of portals with information about the Controller’s initiatives and other activities, as well as in connection with the promotion of various types of events, services and products;
• for statistical and analytical purposes;
• possibly this Data may be processed for the purpose of pursuing claims and defending against claims

The legal basis for Personal Data processing is the legitimate interest of the Controller (legal basis: Article 6 (1) (f) of the GDPR), consisting in promoting its own brand and improving the quality of services provided, and if necessary – in pursuing claims and defending against claims.

PLEASE NOTE: The above information does not apply to the processing of Personal Data by website administrators (Facebook, LinkedIn, YouTube, Twitter). By using a social-media application, the User provides its Personal Data to the administrator of such application. T-Mobile is not responsible for the way data is processed by the application provider, which has the status of a separate personal data controller. The principles of personal data processing by the application provider are available on the application provider’s websites.

In our Websites, we have integrated external service providers who render their services independently. When you visit our website, data is stored using cookies or similar technologies, and transferred to a relevant third party – partly for telecommunications purposes. The legal basis for these cookies is Article 6 (1) (a) of the GDPR. Please be advised to read the third-party data protection information to learn the extent, purposes and legal basis for further processing of the third party’s own purposes. Information on independent third-party providers can be can be found below.

Google

On individual websites, e.g. in the store finder, we use Google Maps for the display of maps, locations and route planning. Google Maps is operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. By embedding Google Maps, your IP address is immediately transferred to Google, and a cookie is saved as soon as you visit such a website. For more information on data processing by Google, please visit http://www.google.pl/intl/pl/policies/privacy. You can also object to it at any time.

On our website, we use the remarketing and Google AdWords functions by Google Inc. (“Google”). This feature is utilised using a cookie and it serves to present interest-based advertising to website visitors within the Google advertising network. These pages may subsequently present advertisements to the visitor relating to content that the visitor has previously accessed on sites that use the Google remarketing feature. According to its own information, Google does not collect any personal data during this process. If you still do not wish to use Google remarketing feature, you can always deactivate it by making the appropriate settings at: http://www.google.com/settings/ads. Alternatively, you can deactivate the use of cookies for interest-based advertising via an advertising network initiative by following the instructions at: http://www.networkadvertising.org/managing/opt_out.asp. Should you wish to learn more information on Google Remarketing and Google’s data protection statement, please visit: https://policies.google.com/technologies/ads?Hl=pl/ .

If you have reached our website via a Google ad, Google AdWords will save a cookie on your computer. This cookie expires after 30 days. The information obtained through the so-called conversion cookie is used to generate statistics about our conversion rate. This means that we find out how many users have reached our website via a Google ad and purchase the product within 30 days. If you do not wish to participate in the tracking process, you can deactivate cookies for conversion tracking by specifying in your browser settings that cookies from the respective domain are blocked: Google AdWords: googleadservices.com

Google reCAPTCHA

Our Website uses the so-called Google Captcha (“Google reCAPTCHA”). It is a security feature on websites, serving to allow only human-filled data to be sent. Captcha stands for Completely Automated Public Turing test to tell Computers and Humans Apart.

In particular, Google’s security check uses the following information:

• Your terminal’s IP address
• Browser properties (e.g. browser type and version, screen resolution, language, time and date of access)
• Your Google account (if you are logged in)
• Your browsing behaviour
• Your access behaviour (e.g. mouse movements over reCAPTCHA)
• Image identification tasks as needed.

The legal basis for data processing is Article 6 (1) (f) of the GDPR (legitimate legal interest – the company’s interest in ensuring system security, to protect Customer forms and its website against attacks/spam). Should you wish to learn more information on Google reCaptcha, please visit:  https://policies.google.com/privacy?hl=pl or https://policies.google.com/terms?hl=plo

Facebook

Our website use the Facebook Customer Audience and Facebook Pixel services to optimise our advertising offer, provided that you have given consent to Facebook. Should you wish to learn more about these Facebook services and data protection information from Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland (“Facebook”), please visit: https://www.facebook.com/privacy/. If you use a Facebook user account, you can recognise this by the Facebook pixel on our website from the set Facebook cookie through which the collected usage data is transferred to Facebook for analysis and marketing purposes. This data collection, as well as the further processing and use of the data by Facebook, can be checked and/or deactivated directly on Facebook. The Facebook pixel is the JavaScript code that transfers the following data to Facebook:

• HTTP header information (including IP address, information about the web browser, page storage, document, website URL and Customer of the web browser user, as well as the date and time of use),
• Pixel data; this includes the pixel ID and Facebook cookie data, including Facebook ID (this data is used to link events to a specific Facebook advertising account and assign them to a Facebook user),
• Additional information about visits to our site, as well as standard and custom data events – Orders placed (sales) – Termination of registration and trial subscriptions – Products searched, product information retrieval.

The above data processing only applies to users who have a Facebook account or who have accessed a Facebook partner page (whereby a cookie has been set). The display of advertisements on Facebook (partner) pages using the Customer Audience service does not affect users who are not Facebook users. If the Facebook ID contained in the Facebook cookie can be assigned to a Facebook user, Facebook assigns that user to a target group (Custom Audience) based on the rules set by us, provided that the rules are met. We use the information obtained in this way to present T-Mobile ads on Facebook (partner) pages. If you wish to object to the use of Facebook Pixel, you can set an opt-out cookie on Facebook or deactivate JavaScript in your browser. Should you wish to learn more information and access privacy setting options for advertising purposes, please see Facebook’s data protection guidelines at https://www.facebook.com/ads/website_custom_audiences/.

LinkedIn

Retargeting and LinkedIn conversion tracking (LinkedIn Ireland, Wilton Plaza, Wilton Place, Dublin 2, Ireland) using LinkedIn Insight Tag, renders it possible to collect statistical, pseudonymous data (referrer URL, IP address (abbreviated), device and browser properties) about the visit on the website and the use of our website, as well as on the provision of relevant aggregate statistics on this basis. This information is also used to display specific and appropriate offers and recommendations after you have shown interest in certain products, information and offers on our website. This anonymous information is stored in the cookie for 6 months. Should you wish to learn more about the processing of data by LinkedIn, please visit: https://www.linkedin.com/legal/privacy-policy?trk=registration_footer-privacy-policy You can also object to it at any time.

The User may at any time disable or restore the cookies collection option by changing the settings in the web browser. The cookie management instructions are available at: http://www.allaboutcookies.org/manage-cookies .

In some situations, we use automated decision-making processes.

We want the User to enjoy using our Websites and to be able to easily find interesting products. To that end, we analyse Users’ behaviour on the Websites, while using them anonymously or pseudonymously. In reliance upon the available data, Users may be presented with content tailored to their preferences and likings. The decision to present relevant content is made automatically.

In reliance upon the information provided by the User and information that we have obtained about the User, e.g. from Economic Information Bureaus, Credit Information Bureau, data provided by the User’s device, or data from other services that has been or is still provided to the User, we also carry out analyses as part of the User’s risk and credibility evaluation. Automated decision-making, including profiling, also takes place for reasons of online payment security or fraud prevention.

In the event of a negative evaluation, the consequence of profiling may be the refusal to provide the User with the selected form of financing.

If you are subjected to the process of automated decision-making, including profiling, you have the right to receive the intervention of our employee who will additionally verify your situation and the decision made. You can also present your position or contest the decision made.

As a rule, the period of personal data processing by the Controller depends on the type of service provided and the purpose of processing, including:

• data processed for providing electronic services will be processed until they are terminated, e.g. the account is removed from the website;
• data processed for exercising the legitimate interest of the Controller will be processed until it expires or until an effective objection to its processing is submitted (e.g. promotion of the Controller’s brand in social media);
• data processed on the basis of the consent given by the User will be processed until it is withdrawn (e.g. marketing consent);
• the data processing period may be extended if the processing is necessary to establish and pursue any claims or defend against them, and after that time, only in the case and to the extent that it will be required by law;
• after the expiry of the processing period, the data is irreversibly deleted or anonymized.

In connection with the activities described in this policy, personal data may be disclosed to third parties that are service providers for the Controller, primarily entities responsible for the operation of IT systems and equipment, websites, postal operators or couriers, marketing agencies.

This sort of data is transferred to third parties in accordance with the provisions of the GDPR, including appropriate safeguard measures are used each time, e.g. in the form of data processing agreements.

The Controller reserves the right to disclose selected information about the User only to state authorities or third parties who submit a request for such information, based on an appropriate legal basis and in accordance with applicable law.

The level of Personal Data protection outside the European Economic Area (‘EEA’) differs from that provided by European law. For this reason, the Controller transfers Personal Data outside the EEA only when it is necessary and with an adequate level of protection, using appropriate measures, including but not limited to through:

• cooperation with entities processing Personal Data in countries for which an appropriate decision of the European Commission has been issued regarding the assurance of an adequate level of protection of Personal Data;
• the use of standard contractual clauses issued by the European Commission;
• the application of binding corporate rules approved by the competent supervisory authority.

Użytkownikowi przysługują następujące uprawnienia:

• to access the content of the data – that is, obtaining information about the purpose and method of Personal Data processing, categories of Personal Data processed, recipients or categories of recipients to whom the Personal Data has been or will be disclosed, the planned period of Personal Data retention, the right to request the Controller to rectify, delete or restrict the processing of Personal Data, the right to lodge a complaint with the supervisory authority, and a copy of the data;
• to request its rectification – that is, correction of Personal Data when it is incorrect, it has changed changed or has become obsolete, as well as to request to supplement incomplete personal data;
• to request its erasure – that is, erasure of data that is processed without legitimate legal grounds;
• to restrict processing – that is, data processing restrictions in cases where:
  - the data subject questions the accuracy of the Personal Data,
  - the processing is unlawful, and the data subject objects to the deletion of personal data,
  - the Controller no longer needs personal data for the purposes of processing, but the data is needed by a person to establish, pursue or defend claims,
  - the person has objected to processing – until it is determined whether the legitimate grounds on the part of the Controller override the grounds for objection raised by that person; 
• to data portability – that is, to obtain its Personal Data that it has provided to us or to indicate another Controller to whom we should provide it, if technically possible;
• to object – an objection may only be raised against the processing of data based on the Controller’s legitimate interest (e.g. contact purpose). The Controller will cease processing data for these purposes, unless there are other overriding legitimate grounds for processing;
• to withdraw consent – consent may be withdrawn at any time. From the submission of such an instruction, the data will continue to be processed for the purpose covered by the consent. Please be reminded that the exercise of this right does not affect the compliance of data processing by the Controller prior to the withdrawal of consent;
• to lodge a complaint with the supervisory body dealing with personal data protection;
• not to be subjected to the process of automated decision-making, including profiling, if such actions have legal effects on you or otherwise significantly affect you. However, we may use an automated decision-making process when such a decision:
  
  1. is necessary for the conclusion or performance of a contract,
  2. is allowed on the basis of separate provisions of law, or:
  3. takes place after you have given your consent.

If you are subjected to the process of automated decision-making, including profiling, you have the right to receive the intervention of our employee who will additionally verify your situation and the decision made. You can also present your position or contest the decision made.

The User may exercise its rights by submitting the content of the request as follows:

• by e-mail to the following address:  
  
  BOA@t-mobile.pl – for subscribing Customers
  BOU@t-mobile.pl – for Prepaid Customers
  IOD@t-mobile.pl– for everyone
• by phone at:
  
  602 900 000 – for subscriptions Customers
  602 960 200 – for Prepaid Customers
• by sending a message via the website:
  
  T‑Mobile: https://www.t-mobile.pl/logowanie (after logging in)
• via mobile application (Mój T‑Mobile)
• by traditional mail:
  
  T‑Mobile Polska S.A., ul. Marynarska 12, 02-674 Warszawa

If the Controller is not able to identify the User on the basis of the submitted request, it will ask for additional information. Providing such data is not obligatory, yet failure to provide it will result in the refusal to fulfil the request.