Introduction
The protection of personal data is a necessary aspect of CI Games SE with headquarters in Warsaw (“CIG”), as well as the entire CI Games Group, of which CIG is a part. As a producer and publisher of computer games and an employee recruiting employees throughout the year, CIG feels responsible for the security of personal data processed by CIG in connection with its ongoing operations. Our goal is also to properly inform you about matters related to the processing of personal data, especially in terms of the content of the new provisions on the protection of personal data, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data; and the repeal of Directive 95/46/EC (“GDPR”). This document provides information on the legal grounds for personal data processing by CIG, data collection and usage and the rights of entities whose CIG data is processed.
What is personal data and what it means to process such data
Personal data means data relating to a living individual who is or can be identified from the data. The processing of personal data is in principle any act on personal data, regardless of whether it is done in an automated manner or not, for example, collecting, storing, recording, ordering, modifying, browsing, using, sharing, restricting, deleting or destroying. CIG processes personal data for a variety of purposes, while depending on the purpose of use, it can employ different collection methods, legal grounds for processing, use, disclosure and retention periods.
When this Privacy Policy applies
This privacy policy applies to all cases in which CIG is the controller and processor of personal data. This applies to both cases where CIG processes personal data obtained directly from the data subject, as well as cases in which personal data has been obtained from other sources. CIG carries out its information duties in both of the above cases, specified in Article 13 and Article 14 of GDPR in accordance with these provisions. Full CIG data as the controller of personal data is provided below:
CI Games SE with its registered office in Warsaw at: Rondo Ignacego Daszyńskiego 2B, 00-843 Warsaw, and is registered in the Register of Entrepreneurs of the National Court Register conducted by the District Court for Capital City of Warsaw in Warsaw, 13th Commercial Division, under KRS number 0001025884, Tax ID No. 1181585759, REGON [National Business Registry No.] 017186320. The person responsible for the protection of personal data in the CIG Group is Małgorzata Sas-Madej (rodo@cigames.com).
What is the method, legal basis and type of personal data processed by CIG
CIG wants to be transparent in terms of methods, legal basis for the processing of personal data and the purposes for its processing. As a data controller, CIG takes care to provide necessary information in this regard to each individual whose personal data is processed. A summary of the processing of personal data is provided below.
At the same time, CIG emphasizes that whenever it processes personal data based on the legitimate interest of the data controller, it tries to analyze and balance its interest and potential impact on the data subject (whether positive or negative) and the rights of that person under the provisions on personal data protection. CIG does not process personal data based on its legitimate interest if it concludes that the impact on the data subject would prevail over CIG’s interests (then CIG may process personal data if it has the appropriate consent or if such processing is required or permitted under applicable law).
Processing personal data of individuals visiting websites run by CIG or using electronic services
General information
Individuals visiting CIG websites or using electronic services provided by CIG (hereinafter collectively “Services”) have control over personal data provided by CIG. Said websites and services restrict the collection and use of information about their users to the necessary minimum required to provide their services at the desired level, pursuant to Article 18 of the Act of July 18, 2002 on the provision of electronic services (Journal of Laws of 2020, item 344, as amended).
Cookies
To a limited extent, CIG may collect personal data automatically via cookies located on the CIG websites. Cookies are small text files saved on a user’s computer or other mobile device while using the websites. These files allow using various functions provided on a given website or confirming that a given user has viewed certain content from a given website. Cookies include those that are necessary for the operation of CIG websites. The cookies included in this category allow:
- Maintaining the user’s session;
- Recording the state of the user’s session;
- Enabling Login authorization;
- Saving information allowing for anonymous login of the user;
- Monitoring the availability of services.
Another category of cookies are files that are not necessary to use the Services, but facilitate their use. They are used to allow:
- Remembering the user’s choice regarding discontinuing displays of a selected message or displaying it a specified number of times;
- Restoring the user session;
- Checking if the cookie files are working properly;
- Enabling automatic login to the Website (option “remember me”);
- Adjusting the content of the Services to users’ preferences;
- Setting the preferred language, font size and other such features to help users work with the application.
CIG also uses the services of third parties whose list is constantly changing and which use cookies for the following purposes:
- Monitoring traffic on CIG websites;
- Collecting anonymous, aggregate statistics that allow CIG to understand how users use the CIG website and allow continuous improvement of CIG Services;
- Determining the number of anonymous CIG website users, needed to analyze the use of the Services;
- Controlling the frequency of showing selected content to users;
- Controlling how often users choose a service;
- Using a communication tool;
- Integration with the community portal;
- Online payments.
As of the date of this document, these entities are as follows:
- Google Analytics (more information and Google Analytics Plugin Blocker on tools.google.com);
- Facebook (more information on www.facebook.com)
- DotPay (more information on www.dotpay.pl).
Users can manage cookies used by CIG or by any other external providers by changing the settings of their web browser. At the same time, CIG reserves that after rejecting cookies, some of the features offered by the Services may not work properly and even in some cases it means that the use of the selected product is completely prevented.
Access logs
CIG collects information on the use of the Services by its users and their IP addresses based on the analysis of access logs.
CIG uses this information in diagnosing server-related problems, analyzing possible security breaches and managing the website. The IP address may also be used by CIG for statistical purposes, such as collecting and analyzing demographic data of website visitors (e.g., information about the region from which the connection was made). In specific cases, based on the obtained information, general aggregate statistical summaries are prepared, which are disclosed to third parties cooperating with CIG. They usually include information about Services viewing. These summaries do not contain any data allowing identification (personally identifiable information) of a given Service user.
CIG may be required to disclose information regarding the IP address of a given Service user at the request of authorized state bodies in connection with their proceedings and under relevant provisions of generally applicable law.
Other data
As a rule, CIG collects more detailed information about users, such as email addresses or other personal data only when it is really necessary to provide a given service in some cases, e.g., when subscribing to free newsletters, in surveys or in order forms.
Automatic processing of personal data
The information collected by CIG in connection with the use of the Services may be processed in an automated manner while it will not cause any legal effects to the individual or similarly materially affect their situation.
Legal basis for processing
When processing personal data in connection with the use of CIG Services by users, CIG may have different legal grounds for processing, depending on the category of personal data that it processes and the purpose of processing. For example:
– CIG processes personal data of persons visiting CIG websites based on the legitimate interest of the data controller, e.g., by adjusting the displayed advertisements or by requesting consent of the data subject;
– When the relevant applicable law requires the processing of certain personal data for tax or accounting purposes.
Processing of personal data of persons contacting CIG in order to obtain information about the offer or to share comments about CIG services or products or contacting CIG to conclude a contract with CIG.
Apart from the above data from individuals who contact CIG in order to obtain information about the offer or share comments regarding services or CIG products and those contacting CIG to conclude a contract with CIG, the company collects the following personal data: first and last name, email address or phone number. These users can send CIG an email through the website or a message via chat. Such messages contain the set username and email address plus any additional information that the user wants to include in the message.
CIG asks users not to provide information from specific categories of personal information via websites (such as information on race or ethnic origin, political views, religious or philosophical beliefs, trade union membership, information about physical or mental health, genetic or biometric data, information about sexual life or sexual orientation or about the criminal past). In the event that such information is provided for any reason, CIG will deem this express consent to the collection and use of such information as set out herein or as determined at the location where such data was disclosed.
Legal basis for processing
CIG collects the above data based on the consent provided by the user directing the request to CIG or in order to perform the contract (fulfillment of the request). The provided data can also be processed to fulfill the so-called justified purpose of the data controller.
Processing of personal data of CIG’s existing and potential customers
CIG processes the personal data of its existing and potential customers. This data may also include personal data of people associated with CIG customers who are not individuals (such as contact persons). Personal data of this type is processed in IT systems used by CIG (e.g., CRM). Personal data processed for these purposes includes, but is not limited to first and last name, employer name, contact person position, telephone number, email address or other business contact details. Furthermore, for customers who have concluded payable agreements/contracts with CIG, we can also process payment data, including credit card numbers and bank account numbers. The personal data of business contacts may be disclosed to full-time CIG sales force associates and used by them to conduct CIG trading activities.
Please note that the information on cookies and access logs provided in the first section (“Processing personal data of individuals visiting CIG websites or using electronic services ”) is also applicable to the processing of data of individuals using CIG’ products or services offered online.
Automatic processing of personal data
The information collected by CIG in connection with our products and services online may be processed in an automated manner (including profiling) but it will not cause any legal effects to the individual or similarly materially affect their situation. We attach particular importance to profiling and emphasize that:
– We do not process any sensitive data for profiling purposes;
– For profiling purposes, we usually process data that was previously subject to pseudonymisation or data that we aggregated;
– If we are unable to achieve the objective otherwise than by profiling personal data that has not been pseudonymised or non-aggregated, we use typical data for this purpose: email and IP address or cookies;
– We use profiling to analyze or forecast personal preferences and interests of people using our Services or products or services and matching content found on our Services or products to these preferences;
– We use profiling for marketing purposes, namely, matching the marketing offer to the above preferences.
Legal basis for processing
The processing of personal data of individuals who are our customers is based on:
– The legitimate interest of CIG as a data controller (in the area of database creation, analytical and profiling activities, including activities regarding the analysis of the use of products, securing documentation for defense against potential claims or for exercise of claims);
– Consent (especially including consent to email marketing);
– Performance of the concluded contract/agreement;
– Obligations resulting from generally applicable provisions of law (such as tax law or accounting regulations).
The processing of personal data of individuals who are our potential customers is based on:
– The legitimate interest of CIG as a data controller (e.g. for creating databases);
– Consent (especially including consent to email marketing);
Processing personal data of end users of CIG online products
In a situation where we provide certain products or services to customers online, especially using the formula commonly referred to as SaaS, we process personal data of end users of such products and services. Please note that the information on cookies and access logs provided in the section “Processing personal data of individuals visiting CIG websites or using electronic services ” is also applicable to the processing of data of individuals using CIG’s products or services offered online.
Detailed rules for the protection and processing of personal data in such products are set out in the Regulations regarding these products and this software.
Automatic processing of personal data
The information collected by CIG in connection with our products and services online may be processed in an automated manner (including profiling but also monitoring the manner of using online products or services) but it will not cause any legal effects to the individual or similarly materially affect their situation. We attach particular importance to profiling and emphasize that:
– We do not process any sensitive data for profiling purposes;
– For profiling purposes, we usually process data that was previously subject to pseudonymisation or data that we aggregated;
– If we are unable to achieve the objective otherwise than by profiling personal data that has not been pseudonymised or non-aggregated, we use typical data for this purpose: email and IP address or cookies;
– We use profiling to analyze or forecast personal preferences and interests of people using our Services or products or services and matching content found on our Services or products to these preferences;
– We use profiling for marketing purposes, namely, matching the marketing offer to the above preferences.
Legal basis for processing
If the end users are also CIG customers, the legal grounds for processing their data are the same as in the case described above (“Processing personal data of individuals who are customers or potential CIG customers”) in respect of CIG customers. If they are not customers, the legal basis for the processing of their personal data, depending on the situation and type of personal data, is the consent of an individual or CIG’s legitimate interest as a data controller (e.g. in the scope of securing documentation for defending against possible claims or for exercise of claims).
How long does CIG process personal data
The time during which we are allowed to process personal data depends on the legal basis that constitutes a legal condition for the processing of personal data by CIG. We are not allowed to process personal data longer than it results from the aforementioned legal basis. Accordingly, we provide the following notification:
1) If CIG processes personal data based on consent, the processing period continues until the user withdraws the consent;
2) If CIG processes personal data based on the legitimate interest of the data controller, the processing period lasts until the cessation of the aforementioned interest (e.g., the statute of limitations/expiration of civil claims) or the objections of the data subject concerning continuing such processing where such objection is applicable in accordance with the provisions of generally applicable law;
3) If CIG processes personal data because it is necessary due to the applicable law, the periods of data processing for this purpose are defined by these provisions;
4) In the absence of specific legal provisions or contractual regulations, the basic period of storing data to keep records and other documentary evidence drawn up during the performance of the contract is not more than 10 years.
When and how we share personal data with third parties
Do we transfer data to third countries
We provide personal data to others only if we are permitted by law. In this case, in the applicable agreement with a third party, we provide security provisions and mechanisms to protect data and to maintain our standards in terms of data protection, confidentiality and security. These types of agreements are called entrustment agreements for the processing of personal data, wherein CIG maintains control over how and to what extent the entity to whom CIG entrusted the processing of certain categories of personal data processes the data. In view of the above, we indicate that the recipients of personal data that CIG processes as personal data controller may be:
– Aforementioned entities processing personal data under agreements for entrusting the processing of personal data (processors);
– Entities providing hosting services for CIG;
– Entities implementing marketing or sales campaigns for CIG;
– Other CIG subcontractors who provide software delivery services, software or hardware maintenance services used by CIG and suppliers of goods we use;
– Entities providing survey services, including NPS (customer satisfaction research);
– Debt collection agencies (provided that personal data is provided only to the extent that it is really necessary to achieve a given goal);
– Auditors and statutory auditors, legal and tax advisers;
– Authorities supervising compliance with law, regulatory authorities and other public administration bodies (in the latter two cases, we provide data only if and to the extent that it is actually necessary and required by mandatory provisions of law and in a manner consistent with these regulations).
As we pointed out earlier, CIG is part of the CI Games capital group, therefore, some personal data may be transferred to other companies from the CIG Group. In terms of personal data subject to EU law, we emphasize that cross-border transfer may apply to countries that are not members of the European Economic Area (“EEA”) and countries that do not have laws that specifically define personal data protection. We take steps to ensure that all personal data are protected and that the transfer of personal data outside the EEA is lawful. In the event of transferring personal data outside the EEA to a country which, according to the European Commission, does not ensure an adequate level of personal data protection, transfer takes place only on the basis of an agreement that takes into account EU requirements for the transfer of personal data outside the EEA.
What are the rights of data subjects and how they are implemented
Natural persons have legal provisions regarding their personal data, and CIG as the data controller is responsible for the implementation of these rights in accordance with the applicable provisions of generally applicable law. For any questions or requests regarding the scope and implementation of rights and in order to contact us to exercise a certain right in the field of personal data protection, please contact us at the following email address: rodo@cigames.com. CIG reserves the right to exercise the following rights after successfully verifying the identity of the person applying for the action.
Access to personal data
Individuals have the right to access data that CIG retains as a data controller. This right can be exercised by sending an email to: rodo@cigames.com .
Changing personal data
Changes, including updates of personal data processed by CIG, may be made by sending an email to the following email address: rodo@cigames.com or by contacting CIG through the appropriate registration page or application in which the registration was made, or via traditional mail.
Withdrawing consent
If personal data is processed based on consent, individuals have the right to withdraw this consent at any time. CIG notifies about this right almost always during the collection of consents and allows withdrawal of consent in the way it was granted. If CIG did not provide another address or contact number to withdraw your consent, please send an email to rodo@cigames.com .
The right to limit the processing or object to the processing of personal data
Individuals have the right to limit the processing or object to the processing of their personal data at any time, due to their special situation, unless the processing is required in accordance with the generally applicable provisions of law.
An individual may object to the processing of their personal data when:
The processing of personal data takes place on the basis of a legitimate interest or for statistical purposes and the objection is justified by his or her particular situation;
Personal data is processed for direct marketing purposes, including profiling for this purpose.
On the other hand, in relation to a request to limit processing, CIG points out that the request also applies when an individual notices that their data is incorrect. In this case, the individual can request a restriction to the processing of personal data for a period allowing CIG to check the correctness of this data.
Other rights: the right to erasure of data and the right to data portability
If you intend to use any of these rights, please send an email to rodo@cigames.com.
The right to erase data may be used, for example, when the data of an individual is no longer necessary for the purposes for which it were collected by CIG or when an individual withdraws their consent to data processing by CIG and also in the case when an individual objects to the processing of their data or when their data will be processed unlawfully. The data should also be deleted in order to comply with the obligation under applicable law.
The right to data portability is granted when the processing of a person’s data takes place based on the consent of an individual or the contract concluded with them and when such processing is carried out automatically.
Other questions, doubts and complaints
If you have any questions or doubts regarding the content of this Privacy Policy or the manner in which CIG processes personal data, or complaints regarding these matters (regardless of the fact that CIG expresses its deep hope that there will be no need to file such complaints), please send us an email with details of the complaint to rodo@cigames.com. Any complaints received will be considered by CIG, and the person who submits the question, doubt or complaint will receive a response from CIG.
Persons whose personal data are processed by CIG may also file a complaint to the supervisory authority, which is currently the Office for Personal Data Protection (address: Urząd Ochrony Danych Osobowych [Office for Personal Data Protection], ul. Stawki 2, 00-193 Warsaw; https://uodo.gov.pl/pl/p/kontakt).
We can be contacted directly at CIG headquarters, by letter (email and traditional mail) or telephone at:
CI Games SE
Rondo Daszyńskiego 2B
00-843 Warsaw
phone: +48 22 718 35 00
Can this Privacy Policy be changed and if so, when
We are committed to regularly review this Privacy Policy and change it when it is necessary or desirable due to new generally applicable law, new guidelines of bodies responsible for supervising the processes of personal data protection, best practices applied in the area of personal data protection (i.e. codes of good practice; if CIG will be bound by such codes, we will let you know). We also reserve the right to change this Privacy Policy in the event of changes in technology with which we process personal data (if the change affects the wording of this document) and in the event of changes in methods, purposes or legal grounds for personal data processing by CIG.
This document was last updated on March 22, 2023.