Data protection

Information on Personal Data Protection

In connection with the implementation of the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (general Data Protection Regulation "GDPR"), we would like to inform you about the rules of processing your personal data and about your related rights.

1. The administrator of your personal data being processed is Efigo Sp. z o.o. with headquarters in Katowice 40-064, ul. Kopernika 8/6, hereinafter referred to as ADO .

2. If you have questions about the method and scope of processing your personal data in our unit, your rights, please contact the Data Protection Officer, who is Ms Marcelina Tynda via e-mail address: [email protected] . Pani Marcelina Tynda za pośrednictwem adresu e-mail: [email protected].

3. Please be advised that we process your personal data on the basis of applicable law, concluded contracts and on the basis of your consent.

4. Your personal data is processed for the purpose / purposes:

a) to fulfill our legal obligations,

b) implementation of contracts concluded with contractors,

c) in other cases, your personal data are processed only on the basis of the prior consent to the extent and for the purpose specified in the consent.

5. In connection with the processing of data for the purposes referred to in point 4, the recipients of your personal data may be:

a) public authorities and entities performing public tasks or acting on behalf of public authorities, to the extent and for the purposes that result from the provisions of generally applicable law;

b) other entities which, on the basis of relevant contracts signed with our unit, process personal data for which we are the Personal Data Administrator.

6. Your personal data will be kept for the period necessary to achieve the objectives set out in point 4, and thereafter for the period and to the extent required by the provisions of generally applicable law.

7. In connection with the processing of your personal data, you have the following rights:

a) the right to access personal data, including the right to obtain a copy of this data,

b) the right to request the rectification (correction) of personal data - if the data is incorrect or incomplete,

c) the right to request the deletion of personal data (also known as the right to be forgotten),

in case when:

the data are no longer necessary for the purposes for which they were collected or otherwise processed,
the data subject has objected to the processing of personal data,
the data subject has withdrawn consent to the processing of personal data, which is the basis for data processing and there is no other legal basis for data processing,
personal data is processed unlawfully,
personal data must be removed in order to comply with the legal obligation

d) the right to request the restriction of the processing of personal data - if:

the data subject questions the correctness of personal data,
data processing is unlawful, and the data subject opposes the deletion of data, requesting their restriction instead,
The administrator no longer needs the data for his purposes, but the data subject needs them to establish, defend or pursue claims,
the data subject has objected to the processing of data until it is determined whether the legitimate grounds of the administrator override the grounds of objection;

e) the right to transfer data - if the following conditions are jointly met:

data processing takes place on the basis of an agreement concluded with the data subject or on the basis of the consent expressed by that person,
processing is carried out in an automated manner,

f) the right to object to the processing of data - if the following conditions are jointly met:

there are reasons related to your particular situation, in the case of data processing on the basis of a task carried out in the public interest or as part of the exercise of public authority by the Administrator,
processing is necessary for the purposes of the legitimate interests pursued by the Administrator or by a third party, except where these interests are overridden by the interests or fundamental rights and freedoms of the data subject, requiring the protection of personal data, in particular, when the data subject is a child.

8. If the processing of personal data is based on the consent of the person to the processing of personal data (Article 6 (1) (a) of the GDPR), you have the right to withdraw this consent at any time. This withdrawal does not affect the compliance of the processing, which was carried out on the basis of consent before its withdrawal, with applicable law.

9. In the event of suspicion of unlawful data processing in our unit of your personal data, you have the right to lodge a complaint with the supervisory body, which is the President of the Office for Personal Data Protection.

10. In a situation where the processing of personal data does not take place on the basis of applicable law, the provision of personal data by you is voluntary.

11. Providing your personal data is obligatory when the premise for the processing of personal data is a legal provision or an agreement concluded between the parties.

12. Your data will not be processed in an automated manner and will not be profiled.

Additional explanations about the GDPR

What is GDPR?

The protection of personal data in accordance with the GDPR is very important to us, because it applies to all individuals, entire families and children.

On May 25, 2018, the EU regulation on the protection of personal data came into force - Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. data and repealing Directive 95/46 / EC (hereinafter "GDPR").

The explanations in this document are intended to help you identify and understand your rights regarding the processing of your personal data and are informative.

How can you exercise your rights?

You can contact our employee who handles your case or is involved in the processing of your data.

Call our general number and you will be informed about the next steps.

Send your request by e-mail to the address of our Data Protection Officer. In the case of electronic correspondence, we will be required to confirm your identity before performing any activities.

Send your request by traditional mail to our address.

Who is the personal data administrator (ADO)

The data controller is the entity that decides about the purposes and methods of their processing. In some cases, it is the law that indicates who is the data controller.

Who is the processor?

Processor means a natural or legal person, public authority, agency or other entity that processes personal data on behalf of the controller (Article 4 (8) of the GDPR).

What is the processing of personal data?

Pursuant to Art. 4 pts 7 of the General Data Protection Regulation GDPR, data processing means "an operation or a set of operations performed on personal data or sets of personal data in an automated or non-automated manner, such as collecting, recording, organizing, organizing, storing, adapting or modifying, downloading, viewing, using , disclosing by sending, distributing or otherwise providing, adjusting or combining, limiting, deleting or destroying ”.

What is the basis for the processing of personal data?

The processing of personal data must, above all, be lawful, and this is the case when it is based on at least one of the following conditions:

the data subject has consented to the processing of his personal data for one or more specific purposes (Article 6 (1) (a) of the GDPR),
processing is necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract (Article 6 (1) (b) of the GDPR),
processing is necessary to fulfill the legal obligation incumbent on the controller (Article 6 (1) (c) of the GDPR),
processing is necessary to protect the vital interests of the data subject or another natural person (Article 6 (1) (d) of the GDPR),
processing is necessary to perform a task carried out in the public interest or as part of the exercise of public authority entrusted to the administrator (Article 6 (1) (e) of the GDPR),
processing is necessary for the purposes of the legitimate interests pursued by the administrator or by a third party, except where these interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular, when the data subject is a child (Article 6 (1) (f) of the GDPR).

Point f) shall not apply to processing carried out by public authorities in the performance of their tasks.

The processing of special categories of personal data (sensitive data) is prohibited, unless at least one of the conditions set out in Art. 9 sec. 2 GDPR.

What is the purpose of personal data processing?

We process your personal data for the purpose of issuing decisions, contacting, informing about actions taken, correspondence and many other purposes, always in accordance with the law.

The purpose of processing your personal data is to perform the obligations imposed on the Personal Data Administrator under the law, for which processing is necessary.

How long do we process your data?

The processing period (also identified with storage) results directly from the law and is related to the archival category assigned to a specific set of documents. We can process selected data for 5, 10, 15 or even 50 years. The selected data will be processed perpetually, i.e. it will never be destroyed. Such data is marked with the letter A, which means the archival category.

Who do we transfer your data to?

Your personal data is disclosed only in justified circumstances and only at the request of authorized entities. We make every effort to protect your privacy and maintain special hygiene when transferring data.

The data will be disclosed by us on the basis of applicable law at the request of the Police, the Prosecutor's Office, the Court and services with appropriate authorizations.
We will also provide your personal data to other offices or public institutions upon a clear request, as reflected in the provisions of law (clear and unambiguous legal basis).
If you consent to the transfer of your personal data by us, we will do so in accordance with the consent.

Your personal data will also be transferred to entities providing services to us, e.g.

an external IT company that provides and provides support services for us,
an external law firm,
external entities providing data destruction services,
an external entity that provides services to you.

Each of these entities is required to protect your personal data at least to the same or better level as we do.

Rights of natural persons whose personal data we process

Please note that in order to exercise your rights, you must submit a request in writing so that we have a basis for its implementation.

The right to access your data

You have the right to access information:

whether your data is processed by us,
what data we process,
for what purpose we process the data,
about recipients of data (legal and / or natural persons to whom we disclose you, except for entities to whom we disclose data on the basis of applicable law),
where do we get your data from,
the period of processing your data,
the rights that you are entitled to,
automated decision making in the processing of your personal data, including profiling.

According to the GDPR, you have the right to obtain one free copy of your personal data. The next request for a copy will be payable, in accordance with the price list set by us based on the average market prices.

We may refuse to make a copy of the data or transfer the data in the event that it violates other legal provisions or harms other persons.

The right to limit the processing of your data

You can exercise the right to restrict processing:

If you believe that we process your personal data incorrectly, you may request the restriction of processing.
If we are required to delete your data by law, you may request the restriction of their processing (in this case, deletion) by demonstrating the purpose of their preservation.
If you believe that the data processed by us is incorrect, their processing will be limited until the correctness is verified.

You may object to the processing of your personal data in the event of a legitimate legal or public interest, we will consider whether the ground for objection overrides the purpose of processing and we will limit or stop processing your data or continue to process your data.

The right to correct data

If your data is incorrect or incomplete, you have the right to demand that it be corrected or supplemented. We will expect you to justify any inaccuracies to justify the need for changes.

The right to delete data (to be forgotten)

NOTE: because we process the vast majority of your personal data on the basis of legal provisions, and not based on your consent, we will not be able to delete your data on request. Deletion would result in our violation of many other legal provisions, could also harm other people and, consequently, prevent us from performing our duties.

We are also unable to remove personal data from the media on which we process your personal data

You may exercise your right to permanent deletion of your personal data in the following cases:

Your data is not necessary for the purposes pursued by us for which it was processed.
There is no basis for the processing of your personal data. In this case, we will delete your data immediately, even if you do not make such a request.
If we have to comply with other legal provisions that require the removal of your personal data, we will do so without your consent.
If you object to the processing of your personal data, we will delete this data, provided the reason for deletion is related to the specific situation in which you have found yourself. In this case, we will investigate whether your law and situation override the legal grounds on which we are processing.
We have an unconditional obligation to delete your data processed for marketing purposes (e.g. informing you about new products via a newsletter), but we process very little of such data.
We are obliged to delete data provided for purposes related to information society services (in accordance with the GDPR, it applies to children over the age of 16).

Right to object

You have the right to object at any time to the processing of your personal data for reasons related to your particular situation, as long as we process the data pursuant to Art. 6 sec. 1 lit. e) or f) GDPR, including profiling based on these provisions. After the objection is raised, we will not be able to process this personal data, unless there are valid legitimate grounds for processing, overriding the interests, rights and freedoms of the data subject, or the grounds for establishing, investigating or defending claims.

Because we process your data most often under applicable law, in the vast majority of cases we will not be able to exercise your rights resulting from the objection.

Right to data portability

The law only applies to data that has been provided directly by you and is processed on the basis of your consent or on the basis of a contract.

This right only applies to data processed in IT systems.

Withdrawal of consent to the processing of personal data

If, for the purposes of processing personal data, you have given your consent pursuant to Art. 1 lit. and you have the right to withdraw your consent at any time, and we are obliged to stop processing data to the extent specified on the basis of the consent.

This is of particular importance for personal data processed for direct marketing purposes.

Withdrawal of consent will not affect activities performed previously based on your consent, e.g. if we published information based on your consent or transferred it to another person, we will not be able to reverse activities already performed.

Right to lodge a complaint

You have the right to lodge a complaint with the supervisory authority, which is the President of the Personal Data Protection Office, ul. Stawki 2 00-193 Warsaw.

More information can be found on the website of the Personal Data Protection Office https://uodo.gov.pl/

Declaration of the organizational and technical measures applied for data protection

The information below is a list of elements used by Efigo Sp. z o.o., (hereinafter referred to as EFIGO) for the purposes of data protection, with particular emphasis on personal data.

This declaration is binding on the data processed for and on behalf of all customers of Efigo Sp. z o.o.

Legend

The content of the declaration - description of the method of implementing the implemented organizational and technical protection measures in the field of personal data processing.

	The content of the declaration
1.	The personal data processed under the contract is limited by EFIGO to what is necessary and proportionate to the purpose of the provision of the services.
2.	EFIGO does not entrust data belonging to its clients (owners of personal data) to other entities without the written consent of the client.
3.	EFIGO maintains a register of disclosure information to third parties, including information on disclosed personal data.
4.	EFIGO grants authorizations to process personal data.
5.	EFIGO regulates the return, transfer and deletion of entrusted personal data with data processors.
6.	Documentation related to the security area in force in the EFIGO organization is constantly updated and versioned in order to maintain the history of changes.
7.	At EFIGO, printing of personal data on paper is kept to a minimum.
8.	EFIGO has defined procedures related to the restoration of data from the backup performed.
9.	EFIGO has an implemented data retention policy, which means that it knows how long it can process specific information.
10.	Files and documents produced in order to perform the subject of the Agreement are stored in an encrypted repository, and the redundant or temporary information is permanently in accordance with the described method of managing data available in electronic form.
11.	The transmission of personal data takes place using protocols that guarantee encryption, e.g. SSL, TLS, IPSec, Radius, SSH.
12.	Personal data stored on portable data carriers and / or sent by e-mail are securely encrypted, which means the use of at least AES-256 algorithm.
13.	EFIGO has limited to a minimum the possibility of sending personal data by e-mail, saving in the cloud or copying data to portable media.
14.	Personal data transmitted over public data networks are encrypted before transmission.
15.	Printed paper documents are destroyed when necessary with the use of shredders.
16.	Each EFIGO employee has an individual login and login password to the operating system and domain applications in which EFIGO's personal data is processed. The login and password are used to correctly implement the authorization process and confirm the identity of the user / employee of the organization.
17.	EFIGO has an implemented policy of managing the accounts of employees processing the Administrator's personal data, which guarantees confidentiality and hygiene in the field of efficient regulation (granting, receiving, changing) of rights to personal data.
18.	EFIGO maintains the login history of users of its operating systems and domain applications for at least 12 months in order to enable the reconstruction of the history of access to personal data.
19.	In the event of termination of the user's account, it is not transferred to another user.
20.	EFIGO processes the entrusted personal data in a known location in the European Union and has information enabling the identification of entities that are suppliers of infrastructure and software enabling data processing.
21.	EFIGO verifies the actual and registers, after verification, organizational and technical possibilities for entities to which it entrusts personal data.
22.	EFIGO conducts training for staff at least twice a year, aimed at increasing knowledge and awareness of the processing of personal data.
23.	EFIGO has an internal audit team that conducts inspections and audits at least twice a year to ensure that an appropriate level of security in the processing of personal data is maintained.
24.	EFIGO has implemented anti-virus software on each workstation and on each server. The implemented software is characterized by stability of operation, high efficiency and has up-to-date virus signature databases.
25.	EFIGO regularly (without undue delay) updates its operating systems and domain applications in order to eliminate vulnerability to attacks and ensure work stability.
26.	EFIGO does not use operating systems and applications that do not have the current and active support of their producers, e.g. Windows XP, Windows 7.
27.	EFIGO has an up-to-date policy of access to rooms and the contents of cabinets, drawers and other elements of equipment that enable the processing of personal data.
28.	In the case of processing personal data on paper, EFIGO has locked storage spaces, with the accuracy of the cabinet in which the personal data is stored.
29.	EFIGO has identified specific data processing zones.
30.	EFIGO exercises permanent supervision over the cleaning staff. Selected data processing places are cleaned in the presence of employees responsible for data processing in these places.
31.	EFIGO has procedures and a tool in place to ensure business continuity.
32.	EFIGO has implemented procedures and a tool that guarantee the protection of personal data against accidental destruction.
33.	Personal data and other information processed on users' computers are fully encrypted using at least AES-256 algorithm.
34.	Personal data and other information processed on servers are fully encrypted using at least AES-256 algorithm.
35.	Personal data and other information processed on backup storage devices are fully encrypted using at least AES-256 algorithm.
36.	Personal data and other information processed on smartphones are fully encrypted (full encryption of the content of each smartphone is used).
37.	Smartphones / tablets are protected against unauthorized access by using a pin code or a drawn character on the screen or a fingerprint.
38.	Smartphones / tablets are protected against unauthorized access by using at least one of the following methods: A six-digit pin code, A six-point pattern drawn on the screen, Fingerprint of the person using the device, Recognition of the face of the person using the device.
39.	EFIGO does not allow the use of private smartphones / tablets for business purposes without written authorization.
40.	EFIGO does not allow the use of private computers for business purposes without written authorization.
41.	EFIGO does not allow you to remember passwords for software installed on smartphones / tablets.
42.	EFIGO does not allow any software to be installed on smartphones / tablets.
43.	EFIGO does not allow any software to be installed on computers used for data processing.
44.	EFIGO does not allow EFIGO data to be processed on smartphones / tablets without written authorization.
45.	EFIGO provides all persons with a list of requirements for the application of organizational and technical measures for the safe processing of personal data.
46.	E-mail used by EFIGO are located on servers operating in the European Union.