Data Protection

Information on Personal Data Protection

In connection with the implementation of the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons about the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation "GDPR"), we inform you about the rules for processing your personal data and your rights in relation to this.
  1. The Controller of your personal data processed is Efigo Sp. z o.o. with its registered office in Katowice 40-064, ul. Kopernika 8/6, hereinafter referred to as the Controller.
  1. If you have any questions regarding the manner and scope of processing your personal data in our unit or your rights, please contact the Data Protection Officer, Ms. Marcelina Tynda, via the e-mail address: [email protected].
  1. We would like to inform you that we process your personal data on the basis of applicable legal provisions, concluded contracts, and on the basis of your consent.
  1. Your personal data is processed for the purpose/purposes of:
             a) fulfilling our legal obligations,
             b) performance of contracts concluded with contractors,
             c) in other cases, your personal data is processed only based on your prior consent to the extent and for the purpose specified in the content of the consent.
  1. In connection with the processing of data for the purposes referred to in point 4, the recipients of your personal data may be:
             a) public authorities and entities performing public tasks or acting on behalf of public authorities, to the extent and for purposes resulting from the provisions of generally applicable law;
             b) other entities which, based on relevant agreements signed with our unit, process personal data for which we are the Data Controller.
  1. Your personal data will be stored for the period necessary to achieve the purposes specified in point 4, and after that time for the period and to the extent required by generally applicable law.
  1. In connection with the processing of your personal data, you have the following rights:  
            a) the right of access to personal data, including the right to obtain a copy of this data,
            b) the right to request rectification (correction) of personal data - if the data is incorrect or incomplete,
            c) the right to request the deletion of personal data (also known as the right to be forgotten), if:
  • the data is no longer necessary for the purposes for which it was collected or otherwise processed,
  • the data subject has objected to the processing of personal data,
  • the data subject has withdrawn consent to the processing of personal data, which is the basis for data processing and there is no other legal basis for data processing,
  • personal data is processed unlawfully,
  • personal data must be deleted to comply with a legal obligation.
           d) the right to request restriction of the processing of personal data - if:
  • the data subject questions the accuracy of the personal data,
  • the processing of data is unlawful and the data subject opposes the erasure of data, requesting instead its restriction,
  • the Controller no longer needs the data for its purposes, but the data subject needs it to establish, defend, or pursue claims,
  • the data subject has objected to the processing of data until it is established whether the legitimate grounds on the part of the controller override the grounds for objection;

           e) the right to data portability - if the following conditions are jointly met:

  • data processing is carried out based on a contract concluded with the data subject or based on consent expressed by this person,
  • processing is carried out in an automated manner,
           f) the right to object to data processing - if the following conditions are jointly met:
  • there are reasons related to your particular situation, in the case of data processing based on a task carried out in the public interest or the exercise of official authority by the Controller, processing is necessary for the purposes resulting from legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. 
  1. If the processing of personal data is based on the consent of the person to the processing of personal data (Article 6(1)(a) of the GDPR), you have the right to withdraw this consent at any time. Such withdrawal does not affect the lawfulness of the processing,which was carried out based on consent before its withdrawal.
  1. In the event of suspicion of unlawful processing of your personal data in our unit, you have the right to lodge a complaint with the supervisory authority, which is the President of the Personal Data Protection Office.
  1. If the processing of personal data is not based on applicable legal provisions, the provision of your personal data is voluntary.

    11. The provision of your personal data is obligatory if the basis for the processing of personal data is a legal provision or a contract concluded between the parties.

    12. Your data will not be processed in an automated manner and will not be profiled.

Additional explanations on the GDPR

What is the GDPR?

The protection of personal data in accordance with the GDPR is very important to us, as it concerns all natural persons, whole families, and children.
 
On 25 May 2018, the EU regulation on the protection of personal data entered into force - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter "GDPR").
 
The explanations in this document are intended to help you identify and understand your rights regarding the processing of your personal data and are for informational purposes.
 
How can you exercise your rights?
 
You can contact our employee who is handling your case or is involved in processing your data.
 
You can call our general number, where you will be informed about further steps.
 
You can send your request electronically to the address of our Data Protection Officer. In the case of electronic correspondence, we will be obliged to confirm your identity before taking any action.
 
Send your request by traditional mail to our address.
 
Who is the data controller (Controller)?
 
The data controller is the entity that decides on the purposes and means of data processing. In some cases, the law indicates who the data controller is.
 
Who is the processor?
 
Processor means a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller (Article 4(8) of the GDPR).
What is the processing of personal data?
 
Under Article 4(7) of the General Data Protection Regulation (GDPR), the processing means "any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction".
 
What is the basis for the processing of personal data?
 
The processing of personal data must first of all be lawful, and this is the case if it is based on at least one of the following grounds:
  • the data subject has given consent to the processing of his or her personal data for one or more specific purposes (Article 6(1)(a) of the GDPR),
  • processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject before entering into a contract (Article 6(1)(b) of the GDPR),
  • processing is necessary for compliance with a legal obligation to which the controller is subject (Article 6(1)(c) of the GDPR),
  • processing is necessary to protect the vital interests of the data subject or another natural person (Article 6(1)(d) of the GDPR),
  • processing is necessary for the performance of a task carried out in the public interest or the exercise of official authority vested in the controller (Article 6(1)(e) of the GDPR),
  • processing is necessary for the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (Article 6(1)(f) of the GDPR).

Point (f) shall not apply to processing carried out by public authorities in the performance of their tasks.

The processing of special categories of personal data (sensitive data) is prohibited unless at least one of the conditions indicated in Article 9(2) of the GDPR is met.


What is the purpose of processing personal data?
 
We process your personal data for the purpose of issuing decisions, contacting, informing about actions taken, conducting correspondence, and many other purposes, always in accordance with the law.
 
The purpose of processing your personal data is to perform the obligations imposed on the Data Controller under the law, for which processing is necessary.
 
How long do we process your data?
 
The processing period (also identified with storage) results directly from legal provisions and is related to the archival category assigned to a specific set of documents. We may process selected data for 5, 10, 15, or even 50 years. Selected data will be processed perpetually, i.e. they will never be destroyed. Such data are marked with the letter A, which means archival category.
 
To whom do we transfer your data?
 
Your personal data is disclosed only in justified circumstances and only at the request of entities authorized to do so. We take different measures to protect your privacy and maintain special hygiene when transferring data.
  • Data will be disclosed by us on the basis of applicable legal provisions at the request of the Police, Prosecutor's Office, Court, and services with appropriate authorizations.
  • We will also transfer your personal data to other public offices or institutions at an express request reflecting the provisions of the law (an unambiguous legal basis).
  • If you consent to the transfer of your personal data by us, we will do so in accordance with the content of the consent.
 
Your personal data will also be transferred to entities providing services to us, e.g.:
  • an external IT company providing support services to us,
  • an external law firm,
  • external entities providing data destruction services,
  • an external entity performing services on your behalf.

Each of these entities is obliged to protect your personal data at least at the same or better level as we do.

Rights of natural persons whose personal data we process

Please note that to exercise your rights, you must submit a request in writing so that we have a basis for its implementation.  

Right of access to your data

You have the right to access information:

  • whether your data is processed by us,
  • what data we process,
  • for what purpose do we process the data,
  • about the recipients of the data (legal or/and natural persons to whom we disclose your data, other than entities to whom we disclose data based on applicable legal provisions),
  • where we obtained your data from, the period of processing your data,
  • the rights you have,
  • automated decision-making in the processes of processing your personal data, including profiling.

In accordance with the GDPR, you have the right to obtain one free copy of your personal data. Each subsequent request for a copy will be subject to a fee, following the price list established by us based on average market prices.

We may refuse to make a copy of the data or to transfer the data if it would violate other legal provisions or harm other persons.
 
Right to restriction of processing
 
Your data You can exercise the right to restriction of processing:
  • If you believe that we are processing your personal data in an incorrect manner, you may request a restriction of processing.
  • If we are obliged to delete data by legal provisions, you may request restriction of its processing (including deletion in this case) by demonstrating the purpose of its retention.
  • If you believe that the data we process is incorrect, its processing will be restricted until the accuracy is verified.

You may object to the processing of your personal data in the event of justification of a legal or public interest; we will consider whether the ground for objection overrides the purpose of processing and we will restrict or cease processing the data or will continue to process your data.  


Right to rectification of data
 
If your data is incorrect or incomplete, you have right to request its rectification or completion. We will expect you to justify the incorrectness to justify the need for changes.
 
Right to erasure of data (right to be forgotten)
 
NOTE: as the vast majority of your personal data is processed by us on the basis of legal provisions, and not on the basis of your consent, we will not be able to delete your data on request. Deletion would result in our violation of many other legal provisions, could also harm other persons, and consequently would prevent us from performing our duties.
 
We also cannot delete personal data from the media on which we process your personal data.
 
You can exercise the right to permanent erasure of your personal data in the following cases:
  1. You can exercise the right to permanent erasure of your personal data in the following cases:
  2. There is no basis for processing your personal data. In this case, we will delete your data immediately, even if you do not make such a request.
  3. If we have to comply with other legal provisions that require the deletion of your personal data, we will do so without your consent.
  4. If you object to the processing of your personal data, we will delete this data if the reason for deletion is related to the specific situation in which you found yourself. In this case, we will examine whether your right and situation overrides the legal bases on which we carry out the processing.
  5. We have an unconditional obligation to delete your data processed for marketing purposes (e.g. informing you about new products via newsletter), but we process very little such data.
  6. We have an obligation to delete data provided for purposes related to information society services (according to the GDPR, this applies to children who have reached the age of 16).
 
Right to object
 
You have the right to object at any time to the processing of your personal data, on grounds relating to your particular situation, if the data is processed by us based on Article 6(1)(e) or (f) of the GDPR, including profiling based on those provisions. After you object, we will not be able to process that personal data unless there are compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims.
 
As we process your data most often under applicable legal provisions, in the vast majority of cases we will not be able to comply with your rights arising from the objection.
 
Right to data portability
 
This right applies only to data that has been provided directly by you and is processed on the basis of your consent or based on a contract. This right applies only to data processed in IT systems.
Withdrawal of consent to the processing of personal data
 
If, for personal data processing, you have consented based on Article 6(1)(a), you have the right to withdraw this consent at any time, and we are obliged to cease processing the data to the extent specified based on the consent.
 
This is particularly important for personal data processed for direct marketing purposes.
 
Withdrawal of consent will not affect actions previously taken based on your consent, e.g. if we have published information based on your consent or transferred it to another person, we will not be able to reverse actions already taken.
 
Right to lodge a complaint
 
You have the right to complain to the supervisory authority, the President of the Personal Data Protection Office, ul. Stawki 2 00-193 Warszawa.
 
You can find more information on the UODO website https://uodo.gov.pl/

Declaration of applied organizational and technical measures for data protection

The following information is a list of elements used by Efigo Sp. z o.o., (hereinafter referred to as EFIGO) for data protection purposes, with particular emphasis on personal data.

This declaration is binding concerning data processed for and on behalf of all Clients of Efigo Sp. z o.o.

Legend

Content of the declaration - description of how the implemented organizational and technical protection measures are implemented in the scope of personal data processing.

   1. Personal data processed under the contract is limited by EFIGO to what is necessary and proportionate for the purpose of providing services.

   2. EFIGO does not entrust data belonging to its Clients (owners of personal data) to other entities without the Client's written consent.

   3. EFIGO maintains a register of information regarding the disclosure of data to third parties, including information on disclosed personal data.

   4. EFIGO grants authorizations to process personal data.

   5. EFIGO regulates entities processing data and the return, transfer, and deletion of entrusted personal data.

   6. The documentation concerning the security area in force in the EFIGO organization is constantly updated and versioned to preserve the history of changes.

   7. In the EFIGO organization, personal data printing on paper is limited to a minimum.

   8. EFIGO has defined procedures related to restoring data from the backup copy.

   9. EFIGO has implemented a data retention policy, resulting in knowledge about the timeframe for processing specific information.

   10. Files and documents produced for the purpose of performing the subject of the Agreement are stored in an encrypted repository, and redundant or temporary information is permanently stored in accordance with the described method of managing data available in electronic form.

   11. The transmission of personal data takes place using protocols guaranteeing encryption, e.g. SSL, TLS, IPSec, Radius, SSH.

   12. Personal data stored on portable data carriers and/or sent by e-mail are encrypted in a secure manner, which means using at least the AES-256 algorithm.

   13. EFIGO has limited to a minimum the possibility of sending personal data by e-mail, saving it in the cloud, or copying data to portable media.

   14. Personal data transmitted over public data transmission networks is encrypted before transmission.

Printed paper documents are destroyed if necessary using shredders.

   16. Each EFIGO employee has an individual login and password to log in to the operating system and domain applications for EFIGO's personal data processing. The login and password are used for the correct implementation of the authorization process and confirmation of the user's/employee's identity.

   17. Each EFIGO employee has an individual login and password to log in to the operating system and domain applications for EFIGO's personal data processing. The login and password are used for the correct implementation of the authorization process and confirmation of the user's/employee's identity.

   18. EFIGO maintains for at least 12 months the login history of users of its operating systems and domain applications to enable the reconstruction of the history of access to personal data.

   19. In the event of the expiry of a user account, it is not transferred to another user.

   20. EFIGO processes entrusted personal data in a known location within the European Union and has information enabling the identification of entities that are suppliers of infrastructure and software enabling data processing.

   21. EFIGO verifies the actual and registers after verification, organizational and technical capabilities for entities to which it entrusts personal data.

   22. EFIGO conducts training for staff at least twice a year aimed at raising knowledge and awareness in the field of personal data processing.

   23. EFIGO has an internal audit team that conducts inspections and audits at least twice a year to ensure that an adequate level of security is maintained in the processing of personal data.

   24. EFIGO has implemented anti-virus software on every workstation and every server. The implemented software is characterized by stable operation, high efficiency, and up-to-date virus signature databases.

   25. EFIGO updates its operating systems and domain applications on an ongoing basis (without undue delay) to eliminate vulnerabilities to attacks and ensure work stability.

   26. EFIGO does not use operating systems and applications that do not have current and active support from their manufacturers, e.g. Windows XP, Windows 7.

   27. EFIGO has an up-to-date policy on access to rooms and the contents of cabinets, drawers, and other equipment enabling the processing of personal data.

   28. In the case of processing personal data on paper, EFIGO has storage places that can be locked with a key, down to the cabinet in which the personal data is stored.

   29. EFIGO has identified zones for processing special data.

   30. EFIGO maintains constant supervision over cleaning staff. Selected data processing sites are cleaned in the presence of employees responsible for data processing in those sites.

   31. EFIGO has implemented procedures and a tool to ensure business continuity.

   32. EFIGO has implemented procedures and a tool to ensure personal data protection against accidental destruction.

   33. Personal data and other information processed on users' computers are encrypted in their entirety using at least the AES-256 algorithm.

   34. Personal data and other information processed on servers are encrypted in their entirety using at least the AES-256 algorithm.

   35. Personal data and other information processed on backup storage devices are encrypted in their entirety using at least the AES-256 algorithm.

   36. Personal data and other information processed on smartphones are encrypted in their entirety (full encryption of the contents of each smartphone is used).  

   37. Smartphones/tablets are protected against unauthorized access by using a PIN code, a pattern drawn on the screen, or a fingerprint.

   38. Smartphones/tablets are protected against unauthorized access by using at least one of the following methods:

  • six-digit PIN code,
  • six-point pattern drawn on the screen,
  • fingerprint of the person using the device,
  • facial recognition of the person using the device.

   39. EFIGO does not allow the use of private smartphones/tablets for business purposes without written authorization.

   40. EFIGO does not allow the use of private computers for business purposes without written authorization.

   41. EFIGO does not allow passwords to software installed on smartphones/tablets to be remembered.

   42. EFIGO does not allow the installation of any software on smartphones/tablets.

   43. EFIGO does not allow the installation of any software on computers used for data processing.

   44. EFIGO does not allow the processing of EFIGO data on smartphones/tablets without written authorization.

   45. EFIGO provides all persons with a list of requirements regarding the use of organizational and technical measures for the secure processing of personal data.

   46. The e-mail used by EFIGO is located on servers operating within the European Union.

 
Cybersecurity and data protection.
Penetration, social engineering and performance tests. Security audits and trainings. 
Authorized OffSec partner in Poland.
© 2024 efigo.pl

Stay safe with us.
+48 504 112 162
+48 512 669 907
Efigo Sp. z o.o.
ul. Mikołaja Kopernika 8/6
40-064 Katowice
POLAND

VAT No: PL9542760427
en_GBEN