1. ABOUT US
1. The manager of the personal data collected via the Website is STICHTING NASZ LAS, located at: pl. 3 Maja 18, 18-230 Ciechanowiec, Poland, email address: email@example.com. (“Administrator”)
2. FUNDACJA NASZ LAS manages the website and is responsible for the proper delivery of the electronic services of the website.
2. GENERAL PROVISIONS
2. The service provider takes particular care to protect the interests of data subjects and in particular ensures that the data collected by it is processed in accordance with the law; collected for specified, lawful purposes and not subject to further processing inconsistent with those purposes; are factually correct and adequate in relation to the purposes for which they are processed and stored in a form that allows identification of the persons to whom they relate, no longer than is necessary to achieve the purpose of the processing.
5. The Customer’s personal data is processed in accordance with the GDPR and the Data Protection Act of 10 May 2018 (hereinafter the Personal Data Protection Act) and the Electronic Services Act of 18 July 2002 (Official Gazette of Laws 2002 No. 144, item 1204 as amended).
3. PURPOSE AND SCOPE OF DATA COLLECTION
1. In each case, the purpose, scope and recipients of the data processed by the Service Provider are the result of the actions taken by the Service Recipient on the Website. For example, if the Customer intends to use the Account, his personal data will be processed to conclude and perform the contract for the use of the Account.
2. The Administrator processes personal data of the Service Recipient or his representatives for the following purposes:
- conclusion and performance of the contract for the use of the Electronic Service,
- fulfillment of obligations arising from legal provisions, including tax and accounting regulations,
- conducting judicial, arbitration, administrative, judicial-administrative, enforcement and mediation proceedings,
- documenting contractual relationships for evidence purposes for the statute of limitations of claims related thereto,
- carrying out direct marketing of services or goods offered by the Administrator, including via e-mail correspondence of the newsletter type,
- handling complaints and claims arising from warranty rights
3. The Service Provider may process the following personal data of Service Recipients using the Website:
- first and last name of the recipient of the service,
- email address,
- Name of the collaborating organization,
- Name of the affiliate of the collaborating organization,
4. The provision of personal data referred to in the point above is not mandatory, but is necessary to conclude and perform the contract for the provision of electronic services on the website. The scope of the data required to conclude a contract is always indicated in advance on the Website, when using the Website and in the Regulations (if applicable).
5. Personal data relating to the Service Recipient may be transferred to government authorities or to other persons or third parties – to the extent and in cases where the administrator is legally obliged to provide it. In addition, Personal Data relating to the Service Recipient may also be transferred to entities that provide accounting and bookkeeping services, as well as legal services for the Administrator. In addition, Personal Data relating to the Service Recipient may also be transferred to entities that perform accounting, bookkeeping and legal services for the Administrator on the basis of a separate agreement.
6. The Administrator declares that it has taken appropriate technical and organizational measures to guarantee an appropriate level of security that corresponds to the risk associated with the processing of the personal data entrusted to it, as referred to in art. 32 GDPR. The manager regularly checks and updates the technical and organizational measures he uses to guarantee an appropriate level of protection for the personal data entrusted.
7. The Administrator declares that it has introduced the Personal Data Protection Policy in order to guarantee the security of the processing of personal data. The Personal Data Protection Policy is a measure implemented by the Administrator in accordance with art. 24 sec. 1 and 2 of the GDPR, which aim to introduce a procedure for the treatment of personal data in the company led by the Administrator, on the basis of which the processing by the Administrator will take place in accordance with the GDPR.
8. Processing of personal data as part of the above in point 3 para. 2 includes in particular the collection, modification, storage, viewing, updating, analysis and archiving thereof.
9. The Service Provider also processes anonymized data related to the use of the Website (for example, the number of Service Recipients) in order to generate statistics on the use of the Website. This data is aggregated and anonymous, i.e. it does not contain any characteristics that identify individuals using the Website.
10. Personal data of the Service Recipient are kept by the Administrator for the following period:
- in the case of personal data for which the legal basis for their processing by the Administrator is the fact that it is necessary for the proper performance of the contract – until the claims under this contract expire,
- in the case of personal data for which the basis for their processing by the controller is a legitimate interest – until this basis for processing ceases to exist, in particular until the limitation of the claims of the controller and the claims of the recipient of the service arising out of the legal relationship between them, termination of the legal existence of the Administrator or valid or final determination or award or satisfaction or defense of any claim or other right of the Administrator or the Recipient of the Service in any judicial, arbitration, administrative, judicial-administrative, enforcement or mediation procedures,
- in the case of personal data for which the basis for their processing is that it is necessary to comply with the legal obligations incumbent on the Administrator – until this basis for processing ceases to exist.
4. COOKIES AND PERFORMANCE DATA
1. The service provider does not process the data in cookies when using the website.
5. BASIS FOR DATA PROCESSING
1. The provision of personal data by the Service Recipient is voluntary, but the non-provision of the personal data indicated on the Website and in the Regulations of the Website (if applicable) necessary to conclude the contract for the use of the Electronic Service to enter into and perform, will result in the inability to enter into this contract.
2. The legal basis for the processing of personal data for the above in point 3 para. 2 letter a) is that it is necessary for the performance of the agreement. The legal basis for the processing of personal data for the above in point 3 para. 2 illuminated. b) it is necessary to comply with the legal obligations to which the Manager is subject. The legal basis for the processing of Personal Data for the other purposes indicated above in the point is the legitimate interest pursued by the Administrator.
6. RIGHTS OF THE DATA SUBJECT TO THE PROTECTION OF PERSONAL DATA
1. The data subject may exercise his rights using the form available at: https://app.gorodo.pl/api/zadanie/7221636645
A. Right to information
1. When obtaining personal data, the administrator is obliged to provide the person from whom the data originates with all of the following information:
- your identity and contact details and, if applicable, the identity and contact details of your representative,
- if applicable, contact details of the data protection officer,
- the purposes of the processing of personal data and the legal basis for the processing,
- information about recipients of personal data or categories of recipients, if applicable,
- if applicable – information about the intention to transfer Personal Data to a third country or international organization,
- the period during which personal data will be kept, and if this is not possible, the criteria for determining this period,
- information on whether the provision of personal data is a legal or contractual obligation or a condition for entering into a contract and whether the data subject is obliged to provide it and what the possible consequences are of not providing data.
2. If the Administrator intends to further process personal data for a purpose other than the purpose for which the personal data was collected, he is obliged to inform the data subject of this other purpose before further processing and to provide him with all other relevant information.
B. The right to withdraw consent to the processing of personal data
1. The data subject has the right to withdraw consent to the processing of personal data at any time. The withdrawal of consent does not affect the lawfulness of the processing that took place on the basis of the consent before its withdrawal.
C. Right to access personal data
1. The data subject has the right to obtain from the Administrator confirmation as to whether or not Personal Data concerning him or her is being processed, and if so, he has the right to access these data and the following information:
- processing purposes;
- categories of relevant personal data;
- information about recipients or categories of recipients to whom personal data has been or will be disclosed, in particular recipients in third countries or international organisations;
- if possible, the planned period of storage of personal data, and if this is not possible, the criteria for determining this period;
- information about the right to request the Administrator to rectify, erase or restrict the processing of personal data and to object to such processing;
- information about the right to lodge a complaint with the supervisory authority;
- if the personal data has not been collected from the data subject – all available information about their source;
- information on automated decision-making, including profiling, referred to in Art. 22 sec. 1 and 4 of the GDPR, and – at least in these cases – relevant information about the rules for taking it, as well as about the importance and expected consequences of such processing for the data subject.
2. The Administrator is obliged to provide the Data Subject with a copy of the Personal Data. For all subsequent copies requested by the data subject, the Administrator may charge a reasonable amount as a result of administrative costs. If the Data Subject requests a copy electronically and unless otherwise specified, the information will be provided by commonly used electronic means.
D. The right to demand rectification and deletion of personal data
1. The data subject has the right to request that the Administrator rectify any incorrect personal data without delay. Taking into account the purposes of the processing, the data subject has the right to request that incomplete personal data be completed, including by submitting a supplementary statement.
2. The data subject has the right to request the Administrator to immediately delete the personal data concerning him, and the Administrator is obliged to delete the personal data without undue delay if any of the following circumstances arise:
- the personal data are no longer necessary for the purposes for which they were collected or otherwise processed,
- the data subject has withdrawn the consent on which the processing is based in accordance with Art. 6 seconds 1 illuminated. a) or Art. 9 seconds 2 illuminated. a) GDPR and there is no other legal basis for processing,
- the data subject objects in accordance with Art. 21 sec. 1 GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects in accordance with Art. 21 sec. 2 GDPR with regard to processing,
- personal data must be deleted to comply with a legal obligation provided for in Union law or the law of a Member State to which the controller is subject,
- personal data have been collected in connection with the provision of information society services as referred to in art. 8 seconds 1 GDPR.
- personal data have been processed unlawfully,
3. The data subject’s rights set out in point 2 above do not apply to the extent that the processing is necessary to exercise the right to freedom of expression and information, to establish, pursue or defend claims, to comply with a legal obligation requiring processing under Union law or law of the Member State to which the administrator falls, or to perform a task carried out in the public interest or in the exercise of official authority vested in the administrator has been commissioned, for reasons of public interest in the field of public health in accordance with art. 9 seconds 2 illuminated. h) and i) GDPR and Art. 9 seconds 3 GDPR for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes in accordance with Art. 89 seconds 1 of the GDPR, if this right is likely to prevent or seriously impair the achievement of the purposes of such processing.
4. The administrator is obliged to inform the data subject about rectification or deletion of personal data, unless this proves impossible or involves a disproportionate effort.
E. The right to restrict the processing of personal data
1. The data subject has the right to request the Administrator to limit the processing of his personal data in the following cases:
- The data subject doubts the accuracy of the personal data – for a period that allows the Administrator to verify its accuracy,
- the processing is unlawful and the data subject opposes the erasure of personal data and instead demands the restriction of its use,
- The administrator no longer needs the personal data for the processing purposes, but the data subject needs them to establish, establish or defend claims,
- The data subject has objected to the processing pursuant to Art. 21 sec. 1 of the GDPR – until it has been determined whether the legitimate grounds of the controller prevail over the grounds for the objection of the data subject.
2. The administrator is obliged to inform the data subject about the restriction of the processing of personal data, unless this proves impossible or will require disproportionate effort.
F. Right to transfer of personal data
1. The data subject has the right to receive in a structured, commonly used, machine-readable format the personal data concerning him that has been provided to the Administrator and has the right to transmit this personal data without any hindrance from the Administrator to another administrator, if the processing is carried out by automated means and a) is based on the consent of the data subject or b) is necessary for the performance of the contract.
2. By exercising the right mentioned above, the data subject has the right to request that personal data be transmitted by the Controller directly to another controller, if this is technically possible. This right does not apply to processing necessary for the performance of a task of public interest or for the exercise of public authority entrusted to the Administrator. This right should also not adversely affect the rights and freedoms of other entities.
G. Right to object and rights regarding automated decision-making in individual cases
1. The data subject has the right to object at any time – for reasons related to his particular situation – to the processing of his personal data based on Art. 6 seconds 1 illuminated. e) or f) GDPR, including profiling based on these provisions. The controller may no longer process this personal data unless it demonstrates the existence of valid, legally justified grounds for processing which override the interests, rights and freedoms of the data subject, or grounds for the establishment, investigation or defense of claims.
2. If personal data are processed by the Administrator for the purpose of direct marketing, the data subject has the right to object at any time to the processing of personal data concerning him or her for the purpose of such marketing, including profiling, insofar as the processing is related to such direct marketing.
3. If the data subject objects to processing for direct marketing purposes, the personal data may no longer be processed for such purposes.
4. If personal data are processed for scientific or historical research purposes or for statistical purposes in accordance with Art. 89 seconds 1 GDPR, the data subject has the right – for reasons related to his particular situation – to object to the processing of his personal data, unless the processing is necessary for the performance of a task carried out in the public interest.
5. The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, unless the decision is necessary for the conclusion or performance of a contract between the data subject and the Manager; is permitted by Union or Member State law to which the controller is subject and which provides for appropriate measures to protect the data subject’s rights, freedoms and legitimate interests or is based on the data subject’s explicit consent.
7. FINAL PROVISIONS
2. The administrator accordingly provides for the following technical measures to prevent the acquisition and modification of personal data transmitted electronically by unauthorized persons:
3. securing the dataset against unauthorized access;