- This Policy describes the principles of Personal Data processing on websites operated in the t-mobile.pl domain, as well as other websites operated by or on behalf of T-Mobile Polska, except for websites with separate privacy and cookie policies (hereinafter: “Websites”).
- Since the User uses the Website, the Controller collects data to the extent necessary to provide individual services included in the offer, as well as information about the User’s activity on the Website. The detailed principles and purposes of Personal Data processing collected during the User’s use of the Website are described below.
- The current version of the Policy is valid as of 30/05/2022.
- Controller – T-Mobile Polska S.A. with its registered office in Warsaw, at ul. Marynarska 12, 02-674 Warsaw, hereinafter also referred to as: “T-Mobile”.
- Personal Data – information about a natural person identified or identifiable by one or more specific factors determining the physical, physiological, genetic, mental, economic, cultural or social identity, including but not limited to device IP, location data, internet identifier as well as information collected via cookies and other similar technology.
- GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
- User – any natural person visiting the Website or using one or more services or functionalities described in the Policy.
Contact on matters described in this Policy is available, inter alia, as follows:
- by e-mail at: email@example.com or
- by traditional mail at: T-Mobile Polska S.A., ul. Marynarska 12, 02-674 Warszawa.
Why we process data
1. Use of the website
The Controller may process Users’ Personal Data for the following purposes:
- providing electronic services in the scope of sharing the content collected on the Website to Users, as well as performing and concluding contracts between us – if this is the case, the legal basis for processing is the necessity of processing to perform the contract (legal basis: Article 6 (1) (b) of the GDPR);
- Controller’s analytical and statistical purposes – the legal basis for processing is the Controller’s legitimate interest (legal basis: Article 6 (1) (f) of the GDPR) consisting in keeping statistics and analysing the use of the services provided;
- related to ensuring the safety of users and the stability of the services provided by the Controller – the legal basis for processing is the legitimate interest of the Controller (legal basis: Article 6 (1) (f) of the GDPR) consisting in ensuring the safety of the solutions used;
- possible determination and pursuit of claims or defence against them – the legal basis for processing is the Controller’s legitimate interest (legal basis: Article 6 (1) (f) of the GDPR) consisting in the protection of its rights;
- fulfilment of the Controller’s public-law obligations – in the event of making purchases via the Website – resulting primarily from tax regulations and the Telecommunications Law Act, for the fulfilment of legal obligations incumbent on us, for the duration of their obligations, e.g. registration of subscribers of pre-paid offers and the period of data retention specified by law (legal basis: Article 6 (1) (c) of the GDPR;
- T-Mobile’s marketing purposes. These actions may include the presentation of general marketing content, as well as – with the User’s additional consent – content tailored to individual preferences and interests, including sending a newsletter. Depending on the situation, the legal basis for the Personal Data processing is the legitimate interest of the Controller (Article 6 (1) (f) of the GDPR), consisting in conducting direct marketing actions or the User’s consent (legal basis: Article 6 (1) (a) of the GDPR);
- creating analyses and statistics for our internal T-Mobile needs, such as marketing research, planning the development of services or networks, development works in IT systems, creating statistical models – for the duration of the contract, and then no longer than for the period of limitation of claims (legal basis: Article 6 (1) (f) of the GDPR);
- detecting and preventing abuse – for the duration of the contract (legal basis: performance of the contract), for the period of limitation of claims and the duration of any proceedings (legal basis: our legitimate interest); Personal Data provided by Users and obtained automatically while using the Website may also be used to ensure the security of our Websites and Users. This data may also be used to prevent fraud and other activities dangerous for the Website and Users. For the sake of avoiding fraud in our online store, we collect and use data using cookies and tracking technologies in order to determine what end device is used by the User. The collected IP addresses are anonymised. Data on devices from which fraudulent attempts have been made is stored in the database for the purpose of fraud prevention. T-Mobile accesses this data during the ordering process for risk assessment. The legal basis for Personal Data processing is the legitimate interest of the Controller (legal basis: Article 6 (1) (f) of the GDPR).
For the purposes indicated above [except for the purposes described in Item (a), (e)], we will perform profiling, namely, automated analysis of your Data and development of predictions about preferences or future behaviours (e.g. in the case of marketing profiling, we will determine which offer you may be most interested in)
2. E-mail and traditional correspondence
In case of sending to the Controller, via e-mail or traditional mail, correspondence not related to the services provided to the Sender or other contract concluded with it, the Personal Data contained in this correspondence is processed only for the purpose of communication and resolving the matter to which the correspondence relates.
The legal basis for processing is the legitimate interest of the Controller (Article 6 (1) (f) of the GDPR) consisting in conducting correspondence addressed to it in connection with its business activity.
The Controller processes only personal data relevant to the matter to which the correspondence relates (which, inter alia, means that the Controller has no intention of obtaining so-called data of a specific category, such as e.g. health data). All correspondence is stored in a way ensuring the security of Personal Data (and other information) contained therein, as well as it is disclosed only to authorised persons.
3. T-Mobile chat
T-Mobile Chat is an internet service used in the sale and remote support of Users. Communication with the consultant is rendered possible thanks to the communicator application, which does not require the software installation process on the user’s device and is accessed by clicking the ‘Rozpocznij czat’ [Start chat] button.
Consultant – an employee or associate of the Controller handling correspondence with Users on its behalf – during the conversation it uses the application featuring sets of tools enabling it to have knowledge about the interlocutor (e.g. websites it has visited), facilitating communication and offering the best possible help.
If the User uses this form of contact, the Controller will process the data for the following purposes:
- handling the inquiry sent – the legal basis for processing is the legitimate interest of T-Mobile (Article 6 (1) (f) of the GDPR), consisting in handling correspondence related to TMPL’s activities and the possibility of settling the matter initiated by the User;
- Controller’s analytical and statistical purposes – the legal basis for processing is the Controller’s legitimate interest (Article 6 (1) (f) of the GDPR) consisting in keeping statistics and analysing the use of the services provided;
- possible determination and pursuit of claims or defence against them – the legal basis for processing is the Controller’s legitimate interest (Article 6 (1) (f) of the GDPR) consisting in the protection of its rights;
- if the User has decided to provide feedback on the conversation in order to assess the quality of handling inquiries by the Consultant – the legal basis for processing is the legitimate interest of the Controller (Article 6 (1) (f) of the GDPR) consisting in improving the quality of services provided.
The User may download the record of the chat conversation with the Consultant.
4. Telephone contact
In the event of contacting the Controller by phone, in matters not related to the concluded contract or services provided, the Controller may request Personal Data when it is necessary to handle the matter to which the contact relates. If this is the case, the legal basis is the legitimate interest of the Controller (Article 6 (1) (f) of the GDPR) consisting in the need to resolve the reported matter related to its business activity.
To facilitate contact, the Controller also provides the ‘Porozmawiamy?’ [Shall we talk?] form, which allows for conducting a conversation on the topic selected by the User. If this is the case, the legal basis for data processing is the legitimate interest of the Controller (Article 6 (1) (f) of the GDPR). Please be advised to remember that during the conversation, the User may be presented with commercial information.
As part of the ‘Kariera’ [Career] tab, the Controller provides information about its employment policy, as well as about recruitment processes. Furthermore, it is also possible to apply from the level of a specific announcement, after prior registration of an account on the Website.
Depending on the choice made by the User, Personal Data sent for recruitment purposes may be processed by the following entities:
- all entities from the Deutsche Telekom group, including entities located outside the European Economic Area;
- another entity from the Deutsche Telekom group for whose announcement a nomination is sent;
- only by the Controller.
In the cases indicated in Items (a) and (b) above, each and every entity from the Deutsche Telekom group is a separate data controller within the meaning of the GDPR.
If the User decides to participate in the recruitment process conducted by the Controller, it is a must to point out that the Controller expects candidates to provide Personal Data (e.g. in a CV or personal background) only to the extent specified in the provisions of the labour law (or provisions indicated in the announcement). Accordingly, the broader scope of the information should not be provided. If the submitted applications contain additional personal data, this data will not be used or taken into account in the recruitment process, unless the candidate consents to the processing of such data.
Users’ Personal Data will be processed:
- to fulfil the obligations arising from legal provisions related to the employment process, including, in particular, the Labor Code – the legal basis for processing is the legal obligation incumbent on the Controller (Article 6 (1) (c) of the GDPR in conjunction with the provisions of the Labour Code) – or in the case of employment offered on the basis of a civil law contract;
- to conclude and perform a civil law contract with the employed person on a basis other than an employment contract – the legal basis for processing is the necessity to conclude and perform the contract (Article 6 (1) (b) of the GDPR);
- to carry out the recruitment process in the field of data not required by law – the legal basis for processing is consent (Article 6 (1) (a) of the GDPR);
- to establish or pursue possible claims or defend against such claims – the legal basis for data processing is the legitimate interest of the Controller (Article 6 (1) (f) of the GDPR), consisting in the possibility of establishing and pursuing claims or defending against claims against the Controller.
The User may subscribe to the newsletter voluntarily. Subscribing to the newsletter by the User entails its Personal Data being processed by T-Mobile, in particular the processing of the e-mail address. If the User consents to the foregoing, we may combine its e-mail address with the information collected by cookies from the browser/device, in order to better match the offer to the User’s preferences (more information on cookies is provided in the Chapter entitled Cookies and tracking technologies).
Personal data will be processed on the basis of the User’s consent (Article 6 (1) (a) of the GDPR).
By subscribing to the newsletter, the User consents to receive commercial and marketing information from T-Mobile.
The consent may be withdrawn at any time.
|Didomi||User consent management system||1 year|
|Genesys||Chat on the site||Permanent/maximum|
|youtube-embedded-player||Embedding YouTube on the website||2 years|
|Security – protection against spam and abuse||Permanent/maximum|
|T-Mobile||Cookies used for the proper functioning of the Website||1 year|
|ATG||Cookies used for the proper functioning of the Website||Session|
|F5||Cookies used to identify the User as part of the load balancer – redirecting the User to the appropriate server||Session|
|Dynatrace||Cookies used for the proper functioning of the Website||Permanent/maximum|
|Exponea Bloomreach||Introduction of functional changes to the Website||3 years|
- Analytics cookies, enabling the collection of information on the use of the Website pages. (Opt-in) These cookies help us better understand Users’ behaviour. Analytics cookies enable the collection of information about the User and identification options by own or external providers in so-called pseudonymous usage profiles. For instance, we use analytics cookies to determine the number of individual visitors to a website or service, or to collect other statistics on the performance of our products, as well as to analyse Users’ behaviour based on anonymous and pseudonymous information. In addition to being used in business analysis, analytics cookies allow us to understand how you use our website, indicate pages that need improvement or that fulfil their function and are very popular. In reliance upon this information, we do not make any conclusions about a specific natural person, yet only make an anonymous evaluation of the User’s behaviour. The legal basis for these cookies is Article 6 (1) (a) of the GDPR. You can reset cookie settings again at any time to manage your preferences.
|Analytics – tracking and reporting traffic on the Website||2 years|
|Testing different variants of the website content to improve the User experience and website performance||2 years|
|Hotjar||Analytics (in particular recording and analysis of Users’ sessions)||1 year|
|Medallia||User experience management system (e.g. NPS surveys)||permanent|
|yahoo-analytics||Analytics – tracking and reporting traffic on the Website||1 year|
|Your CX||User experience and customer experience usability research||permanent|
- Personalisation cookies. By analysing your behaviour on our Website, as well as shopping preferences for brands, we are able to display personalised product suggestions and make changes to the functionality and personalisation of the Website. (Opt-in)
|Exponea Bloomreach||Introduction of functional changes to the Website and (depending on the consent expressed) personalisation of the marketing analyst (in particular SMS and e-mail campaigns)||3 years|
- Advertising cookies, including third-party services (independent external providers). By consenting to these cookies, you allow us to tailor advertisements to your interests. Thanks to them, cooperating entities will be able to properly adjust the displayed content so that it is useful and relevant for you. (Opt-in) These cookies and similar technologies are used to display personalised advertising content. Marketing cookies are used to display interesting advertising content and measure the effectiveness of our campaigns. Not only is this the case on the T-Mobile Websites but also on other websites of advertising partners (external providers). This is also known as ‘retargeting’ and is used to create a pseudonymous interest profile and to place relevant advertisements on other websites. Marketing and retargeting cookies help us display advertising content that is relevant to your interests. The legal basis for these cookies is Article 6 (1) (a) of the GDPR. You can reset cookie settings again at any time to manage your preferences.
|Google (Google Campaign Manager)||Advertisement management system||90 days|
|Google (Google Ads)||Online advertising platform||90 days|
|Facebook (Facebook Pixel)||Creation analysis and optimisation of target user groups for the purposes of advertising campaigns||90 days|
In our Websites, we have integrated external service providers who render their services independently. When you visit our website, data is stored using cookies or similar technologies, and transferred to a relevant third party – partly for telecommunications purposes. The legal basis for these cookies is Article 6 (1) (a) of the GDPR. Please be advised to read the third-party data protection information to learn the extent, purposes and legal basis for further processing of the third party’s own purposes. Information on independent third-party providers can be can be found below.
On individual websites, e.g. in the store finder, we use Google Maps for the display of maps, locations and route planning. Google Maps is operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. By embedding Google Maps, your IP address is immediately transferred to Google, and a cookie is saved as soon as you visit such a website. For more information on data processing by Google, please visit http://www.google.pl/intl/pl/policies/privacy. You can also object to it at any time.
If you have reached our website via a Google ad, Google AdWords will save a cookie on your computer. This cookie expires after 30 days. The information obtained through the so-called conversion cookie is used to generate statistics about our conversion rate. This means that we find out how many users have reached our website via a Google ad and purchase the product within 30 days. If you do not wish to participate in the tracking process, you can deactivate cookies for conversion tracking by specifying in your browser settings that cookies from the respective domain are blocked: Google AdWords: googleadservices.com
Our Website uses the so-called Google Captcha (“Google reCAPTCHA”). It is a security feature on websites, serving to allow only human-filled data to be sent. Captcha stands for Completely Automated Public Turing test to tell Computers and Humans Apart.
In particular, Google’s security check uses the following information:
- Your terminal’s IP address
- Browser properties (e.g. browser type and version, screen resolution, language, time and date of access)
- Your Google account (if you are logged in)
- Your browsing behaviour
- Your access behaviour (e.g. mouse movements over reCAPTCHA)
- Image identification tasks as needed.
The legal basis for data processing is Article 6 (1) (f) of the GDPR (legitimate legal interest – the company’s interest in ensuring system security, to protect Customer forms and its website against attacks/spam). Should you wish to learn more information on Google reCaptcha, please visit: https://policies.google.com/privacy?hl=pl or https://policies.google.com/terms?hl=plo
- HTTP header information (including IP address, information about the web browser, page storage, document, website URL and Customer of the web browser user, as well as the date and time of use),
- Pixel data; this includes the pixel ID and Facebook cookie data, including Facebook ID (this data is used to link events to a specific Facebook advertising account and assign them to a Facebook user),
- Additional information about visits to our site, as well as standard and custom data events – Orders placed (sales) – Termination of registration and trial subscriptions – Products searched, product information retrieval.
Retargeting and LinkedIn conversion tracking (LinkedIn Ireland, Wilton Plaza, Wilton Place, Dublin 2, Ireland) using LinkedIn Insight Tag, renders it possible to collect statistical, pseudonymous data (referrer URL, IP address (abbreviated), device and browser properties) about the visit on the website and the use of our website, as well as on the provision of relevant aggregate statistics on this basis. This information is also used to display specific and appropriate offers and recommendations after you have shown interest in certain products, information and offers on our website. This anonymous information is stored in the cookie for 6 months. Should you wish to learn more about the processing of data by LinkedIn, please visit: https://www.linkedin.com/legal/privacy-policy?trk=registration_footer-privacy-policy You can also object to it at any time.
The User may at any time disable or restore the cookies collection option by changing the settings in the web browser. The cookie management instructions are available at: http://www.allaboutcookies.org/manage-cookies .
Automated decision making
In some situations, we use automated decision-making processes.
We want the User to enjoy using our Websites and to be able to easily find interesting products. To that end, we analyse Users’ behaviour on the Websites, while using them anonymously or pseudonymously. In reliance upon the available data, Users may be presented with content tailored to their preferences and likings. The decision to present relevant content is made automatically.
In reliance upon the information provided by the User and information that we have obtained about the User, e.g. from Economic Information Bureaus, Credit Information Bureau, data provided by the User’s device, or data from other services that has been or is still provided to the User, we also carry out analyses as part of the User’s risk and credibility evaluation. Automated decision-making, including profiling, also takes place for reasons of online payment security or fraud prevention.
In the event of a negative evaluation, the consequence of profiling may be the refusal to provide the User with the selected form of financing.
If you are subjected to the process of automated decision-making, including profiling, you have the right to receive the intervention of our employee who will additionally verify your situation and the decision made. You can also present your position or contest the decision made.
Data storage period
As a rule, the period of personal data processing by the Controller depends on the type of service provided and the purpose of processing, including:
- data processed for providing electronic services will be processed until they are terminated, e.g. the account is removed from the website;
- data processed for exercising the legitimate interest of the Controller will be processed until it expires or until an effective objection to its processing is submitted (e.g. promotion of the Controller’s brand in social media);
- data processed on the basis of the consent given by the User will be processed until it is withdrawn (e.g. marketing consent);
- the data processing period may be extended if the processing is necessary to establish and pursue any claims or defend against them, and after that time, only in the case and to the extent that it will be required by law;
- after the expiry of the processing period, the data is irreversibly deleted or anonymized.
In connection with the activities described in this policy, personal data may be disclosed to third parties that are service providers for the Controller, primarily entities responsible for the operation of IT systems and equipment, websites, postal operators or couriers, marketing agencies.
This sort of data is transferred to third parties in accordance with the provisions of the GDPR, including appropriate safeguard measures are used each time, e.g. in the form of data processing agreements.
The Controller reserves the right to disclose selected information about the User only to state authorities or third parties who submit a request for such information, based on an appropriate legal basis and in accordance with applicable law.
The level of Personal Data protection outside the European Economic Area (‘EEA’) differs from that provided by European law. For this reason, the Controller transfers Personal Data outside the EEA only when it is necessary and with an adequate level of protection, using appropriate measures, including but not limited to through:
- cooperation with entities processing Personal Data in countries for which an appropriate decision of the European Commission has been issued regarding the assurance of an adequate level of protection of Personal Data;
- the use of standard contractual clauses issued by the European Commission;
- the application of binding corporate rules approved by the competent supervisory authority.
1. User rights
Użytkownikowi przysługują następujące uprawnienia:
- to access the content of the data – that is, obtaining information about the purpose and method of Personal Data processing, categories of Personal Data processed, recipients or categories of recipients to whom the Personal Data has been or will be disclosed, the planned period of Personal Data retention, the right to request the Controller to rectify, delete or restrict the processing of Personal Data, the right to lodge a complaint with the supervisory authority, and a copy of the data;
- to request its rectification – that is, correction of Personal Data when it is incorrect, it has changed changed or has become obsolete, as well as to request to supplement incomplete personal data;
- to request its erasure – that is, erasure of data that is processed without legitimate legal grounds;
- to restrict processing – that is, data processing restrictions in cases where:
- the data subject questions the accuracy of the Personal Data,
- the processing is unlawful, and the data subject objects to the deletion of personal data,
- the Controller no longer needs personal data for the purposes of processing, but the data is needed by a person to establish, pursue or defend claims,
- the person has objected to processing – until it is determined whether the legitimate grounds on the part of the Controller override the grounds for objection raised by that person;
- to data portability – that is, to obtain its Personal Data that it has provided to us or to indicate another Controller to whom we should provide it, if technically possible;
- to object – an objection may only be raised against the processing of data based on the Controller’s legitimate interest (e.g. contact purpose). The Controller will cease processing data for these purposes, unless there are other overriding legitimate grounds for processing;
- to withdraw consent – consent may be withdrawn at any time. From the submission of such an instruction, the data will continue to be processed for the purpose covered by the consent. Please be reminded that the exercise of this right does not affect the compliance of data processing by the Controller prior to the withdrawal of consent;
- to lodge a complaint with the supervisory body dealing with personal data protection;
- not to be subjected to the process of automated
decision-making, including profiling, if such actions have
legal effects on you or otherwise significantly affect you. However, we may use
an automated decision-making process when such a decision:
1. is necessary for the conclusion or performance of a contract,
2. is allowed on the basis of separate provisions of law, or:
3. takes place after you have given your consent.
If you are subjected to the process of automated decision-making, including profiling, you have the right to receive the intervention of our employee who will additionally verify your situation and the decision made. You can also present your position or contest the decision made.
2. Method of exercising user rights
The User may exercise its rights by submitting the content of the request as follows:
- by e-mail to the following address:
BOA@t-mobile.pl – for subscribing Customers
BOU@t-mobile.pl – for Prepaid Customers
IOD@t-mobile.pl– for everyone
- by phone at:
602 900 000 – for subscriptions Customers
602 960 200 – for Prepaid Customers
- by sending a message via the website:
T‑Mobile: https://www.t-mobile.pl/logowanie (after logging in)
- via mobile application (Mój T‑Mobile)
- by traditional mail:
T‑Mobile Polska S.A., ul. Marynarska 12, 02-674 Warszawa
If the Controller is not able to identify the User on the basis of the submitted request, it will ask for additional information. Providing such data is not obligatory, yet failure to provide it will result in the refusal to fulfil the request.