Personal Data Protection Policy

1. INTRODUCTION

1.1. This Personal data protection policy (“Policy”) stipulates the principles of personal data processing at Robert Dobrzycki Foundation (“Data Controller”). The Data Controller ensures that personal data processing within The Data Controller’s undertaking is compliant with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (“GDPR”).

1.2. Your privacy is important to the Data Controller, and it is important that the personal data collected about you is stored and processed in a safe and secure manner, and in accordance with GDPR. In this policy, the Data Controller provides you information about the types of personal data that may be processed, for what purposes, on which legal bases, how it is collected, with whom it may be shared and how long it may be stored. The Data Controller also inform you of your rights and how to contact the Data Controller.

1.3. In the event of cooperating with a third party, which involves the personal data processing, The Data Controller ensures that such third party undertakes to guarantee an appropriate level of personal data protection, nevertheless bearing in mind the provisions of the Policy.

1.4. The Data Controller appoints a person responsible for the personal data protection, i.e. the Data Protection Officer (“DPO”) or the Data Protection Coordinator (“DPC”) and ensures adequate measures and resources necessary to perform the relevant tasks.

2. TRANSFERRING AND STORAGE OF PERSONAL DATA

2.1. The Data Controller does not share, sell, transfer or otherwise disseminate your personal data to third parties and will not do so in future, unless (i) required by law, (ii) required for the purpose of the contract or (iii) you have given explicit consent to the processing of personal data. For instance, it may be necessary to pass on your address and order data to our contractors when you order services. The Data Controller may also disclose your personal data to other entities. Such recipients may include service providers collaborating with the Data Controller, i.e. an accounting firm, third party consultants, IT solution providers.

2.2. The personal data the Data Controller collects from you is stored within the European Economic Area (EEA) but may also be transferred and processed in a non-EEA country (“Third Country”). Upon such transfer, processing of your personal data is still carried out in accordance with GDPR. In cases where processing of your personal data is carried out outside the EU/EEA, this is due to the European Commission either having determined that a Third Country ensures an adequate level of protection or provides appropriate safeguards to ensure that your rights are protected.

3. PURPOSES OF THE PROCESSING

3.1. The Data Controller processes your personal data for a variety of purposes, which will be described in more detail below. Whether you are an employee, a costumer, user to our website, a contact person or otherwise a person which personal data we process, we may collect and process the following personal data about you (including, but not limited to): name, social security number, address, email address and mobile phone number.

3.2. The Data Controller processes your personal data primarily in order to (i) fulfill an agreement or (ii) fulfill a legal obligation. The Data Controller may also process your personal data due to (iii) its ‘legitimate interest to do so or (iv) due to your explicit consent.

3.3. If you are employed based on an employment agreement (or a candidate for employment), or collaborator based on another type of agreement (or a potential collaborator), the Data Controller processes your personal data in order to perform such agreements, pursuant to the labor law. Irrespective of the legal form of your employment, the Data Controller processes your personal data in order to satisfy its obligations provided for in the laws on taxes, accounting and social security.

3.4. If you are a contact person to any of our (current or potential) customers, suppliers or partners your personal data may be processed to conclude and manage agreements with the Data Controller. Certain personal data may also be processed in order to ensure compliance with the Data Controllers legal obligations.

3.5. In connection with the user´s use of the Data Controller´s website, the Data Controller collects data to the extent necessary to provide individual services offered, as well as information about the user’s activity on the website.

3.6. In particular situations, the Data Controller may process your data in order to pursue claims or defend against claims, in connection with the legitimate interest to protect its rights.

3.7. In some situations, the Data Controller may require your consent to personal data processing. Please remember that in such cases the decision to provide or refuse consent is yours and will not entail any negative consequences. In the case of consent-based processing, you are allowed to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, the Data Controller may not be able to provide certain services to you.

4. PERIOD OF PERSONAL DATA PROCESSING

4.1. Your personal data will be processed for as long as it is necessary to pursue the Data Controller´s objectives as specified herein or in accordance with separate information provided by the Data Controller. The period of storage of personal data processed by the Data Controller for its legitimate interest may change in time. It depends, inter alia, on the Data Controller’s technology and business decisions.

4.2. The Data Controller processes personal data subject to the principle of data storage limitation and ensures that personal data is processed only as long as it is compliant with GDPR.

4.3. When the retention period of personal data is not explicitly specified by the law, the Data Controller itself defines the retention periods autonomously, in line with the principle of storage limitation (Art. 5(1)(e) GDPR).

4.4. The Data Controller ensures that once all the purposes of the personal data processing have expired, no operations are performed on the data other than erasure thereof. Where possible, the Data Controller has implemented automatic deletion-mechanisms to ensure deletion upon expiration of the retention terms.

4.5. Personal data that the Data Controller is obligated to retain pursuant to the provisions of law will be processed for the total duration of this obligation as provided for by the law. Other data concerning a service, an agreement or employment will be kept for the entire term of the agreement/employment, and then until the date when any potential claims become time-barred. Data processed based on consent will be processed until such consent is withdrawn or until the time specified in the wording of the consent.

5. YOUR RIGHTS

5.1. You have a range of rights in connection with the processing of your personal data by the Data Controller. Below you will find general information on those rights and guidelines on how to execute them. A request to perform your rights may be delivered in writing sent by e-mail to the Data Controller’s e-mail address to be found below, in the “Contact data” section. The Data Controller will respond to your request promptly.

5.2. You have the right to be informed of whether and to what extent we process your personal data. In reply to your request, we will provide you (in writing or electronically, depending on your choice) with information on the scope and purposes of processing your personal data, categories of data processed, processing period, entities to whom your personal data has been made available or to whom the processing of your personal data has been entrusted (the so-called recipients of the personal data), as well as information about the sources of your data. If the processing includes automated decision-making with respect to your situation, you will be also informed of the logic involved in such decision-making process, their significance and expected consequences. You are also entitled to request a copy of your personal data. However, only the first copy will be provided free of charge. The second and each further copy can be provided against payment.

5.3. You have the right to rectify inaccurate personal data as well as update or complete your data if your data or your situation have changed. You also have the right to demand erasure of your data processed by the Data Controller or limiting the processing, provided that the legal conditions are met.

5.4. You have the right to demand transmission of your personal data to another controller or to obtain your data in a structured, commonly used, machine-readable format. This right is limited only to personal data that the Data Controller received from you.

5.5. You have the right to object to the processing performed for the Data Controller’s legitimate interests. The objection must be grounded as its validity is evaluated by the Data Controller. We will then stop processing unless we can demonstrate a legitimate reason for the processing that takes precedence over your interests and rights or due to legal claims.

5.6. If you believe that our processing of your personal data may breach your rights, let us know. Since privacy protection is a significant area of our business, we do appreciate any comments and suggestions on the matter. Nevertheless, you are entitled to lodge a complaint in connection with the Data Controller’s processing of your personal data to the Supervisory Authority using https://uodo.gov.pl/en/485

6. CONTACT DATA
We have appointed the Personal Data Protection Coordinator responsible for the matters in the area of personal data protection. The Data Protection Coordinator may be contacted via e-mail: [email protected]