INFORMATION SECURITY POLICY
This Information Security Policy, hereinafter referred to as the “Policy”, has been prepared to demonstrate that Personal Data are processed and secured in accordance with the legal requirements regarding the principles of data processing and security, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter “GDPR”).
The purpose of this Policy is to provide information on the rules for the processing of personal data of Contractors who are natural persons (including sole proprietors) and contact persons obtained from all Contractors, provided to the Controller, including in connection with cooperation or performance of the contract between the Controller and the Contractor.
- Data Controller or Controller – ŚLICZNA 36 sp. z o.o., KRS: 0000634864, NIP (Tax ID): 6793133235
- address: ul. Tarłowska12/15, 31-102 Kraków
- phone: 604 100 967
- Personal Data – all information relating to an identified or identifiable natural person.
- Data processing – any operations performed on Personal Data, such as collection, recording, storage, adaptation, alternation, sharing and erasure in traditional form and in IT systems;
- Legitimate interest of the Data Controller – establishing and pursuing claims or rights of the Controller or defence against such claims, direct marketing of services provided by the Controller, provision of services and communication with Contractors.
- The policy applies to all Personal Data processed by the Controller, irrespective of the form of their processing and whether the Personal Data are or can be processed in data sets.
- The purpose of processing of Personal Data is, among others, direct marketing of the Controller’s products and services.
- To provide services in accordance with the business profile, the Data Controller processes Personal Data for various purposes, but always in accordance with the law, based on one of the following premises:
- with respect to Personal Data of the Contractor (being a natural person), i.e. forename, surname, gender, age, company, address details, NIP (Tax ID) number, REGON (National Business Registry) number, PESEL number, bank account number, e-mail address, telephone number – for the purpose of performance of the contract to which the Contractor is party in order to take steps at the request of the Contractor to whose data this relates prior to entering into a contract – pursuant to art. 6(1)(b) GDPR (performance of the contract);
- with respect to the Contractor’s Personal Data (being a natural person) and the Contractor’s contact persons: forename, surname, gender, age, company, business address, NIP (Tax ID) number, PESEL number, bank account number, correspondence address, email address – for compliance with a legal obligation to which the Controller is subject in connection with the performance of the contract – i.e. pursuant to art. 6(1)(c) GDPR;
- with respect to forename, surname, correspondence address, telephone number, e-mail address and other data provided – to the extent it is necessary for the purposes of cooperation/performance of the contract with the Controller – for the purposes of the legitimate interests pursued by the Controller in facilitating cooperation/ performance of the contract – pursuant to art. 6(1)(f) GDPR (legitimate legal interest);
- with respect to the Contractor’s Personal Data (being a natural person) and the Contractor’s contact persons: forename, surname, gender, age, company, business address, NIP (Tax ID) number, REGON (National Business Registry) number, PESEL number, bank account number, correspondence address, telephone number, e-mail address – to the extent it is necessary to establish, exercise or defend claims in court, administrative or other extra-judicial proceedings – for the purposes of the legitimate interests pursued by the Controller in establishing, exercising Controller’s claims or rights or defending against such claims – pursuant to art. 6(1)(f) GDPR (legitimate legal interest);
- with respect to the Contractor’s personal data (being a natural person) and the Contractor’s contact persons: forename, surname, gender, age, company, business address, NIP (Tax ID) number, correspondence address, email address, telephone number – for the purpose of direct marketing (based on your explicit, voluntary and prior consent) – pursuant to art. 6(1)(a) GDPR.
- Whenever the Controller processes Personal Data based on the legitimate interest of the Data Controller, it tries to analyse and balance the interest and potential impact on the data subject and his or her rights under the provisions on the protection of Personal Data.
- Personal Data processed by the Data Controller are collected in data sets.
- The Data Controller shall not undertake processing activities associated with a serious probability of high risk for the rights and freedoms of persons. If such activity is planned, the Controller shall perform the activities specified in art. 35 et seq. GDPR.
- The Data Controller shall maintain a record of processing activities.
Pursuant to GDPR you have the right to:
- access to your Personal Data and obtain a copy of them;
- rectify (correct) your personal Data;
- erase or restrict the processing of Personal Data;
- object to the processing;
- portability of Personal Data;
- lodge a complaint with a supervisory authority.
The time for which the Controller processes Personal Data depends on the legal basis constituting the legal condition for the processing of Personal Data by the Controller. Respectively:
- if the Controller processes Personal Data on the basis of consent, the processing period lasts until the User withdraws this consent;
- if the Controller processes Personal Data on the basis of the legitimate interest of the Data Controller, the processing period lasts until the above-mentioned interest (e.g. limitation period for civil law claims) ceases to exist or until the data subject objects to further such processing – in situations where such an objection is in accordance with the law;
- if the Controller processes Personal Data because it is necessary due to applicable law, the periods of the processing of Personal Data for this purpose are specified in these provisions (this is, for example, obligation in accordance with the law to store the Contractor’s Personal Data for a longer period or if the Contractor’s Personal Data are needed by the Controller to file legal claims or defend against legal allegations, the Controller shall keep the Contractor’s Personal Data until the end of the appropriate storage period or until such charges are resolved);
- in the absence of specific legal or contractual requirements, the basic period of storage of Personal Data in the case of records and other documentary evidence prepared during performance of the contract is a maximum of 10 years.
- Personal data shall be obtained directly from you or may be obtained indirectly from you, i.e. from the Controller’s Contractors, who provided Personal Data in connection with the performance of contracts concluded with the Controller.
- The Controller collects your personal data for the purposes of marketing activities either directly from you or from third parties (e.g. real estate portals, social networking sites and individuals in connection with the referral programme).
- The Controller may collect and process your particularly sensitive Personal Data in very limited cases and only if it is necessary for the purpose of their processing and only if it is permitted by law.
- Providing personal data directly by you is voluntary. Refusal to provide Personal Data may, however, prevent the conclusion of the contract by the Controller or may affect the scope of services that the Controller will be able to provide to you.
- The Controller transfers Personal Data to other entities only when permitted by law. In such a case, in an appropriate contract concluded with a third party, the Controller shall provide for security provisions and mechanisms to protect Personal Data and maintain standards in the scope of Personal Data protection, confidentiality and security. The recipients of Personal Data that the Controller processes may be the following:
- entities processing Personal Data under contracts on entrusting the processing of personal data;
- entities providing hosting services for the Controller;
- other subcontractors of the Controller, providing services in the field of software delivery, maintenance services, software or hardware used by the Controller, accounting companies, accounting offices, as well as suppliers of goods used by the Controller;
- tax advisers, auditors, statutory auditors, attorneys and legal advisers, notaries;
- banking institutions;
- law enforcement bodies, regulatory bodies and other public administration bodies.
- In the event of transferring your Personal Data to third countries, i.e. to recipients based outside the European Economic Area or Switzerland in countries which, according to the European Commission, do not provide sufficient data protection (third countries that do not provide an adequate level of protection), the Controller shall transfer them using mechanisms consistent with applicable law, which include, among others (1) EU “Standard Contractual Clauses”, (2.) obtaining a certificate of compliance with the Privacy Shield by a third party (if it has its registered office in the United States), (3) when the transfer of Data takes place to a third country in respect of which the European Commission has determined based on decisions that the third country meets an adequate level of protection.
- The Controller may use your Personal Data for automated decision making, including profiling. As a result of these actions, however, the Controller does not make decisions that are based solely on automated decision-making, including profiling, and which could have legal effects on you or affect you in a similar way. To clarify, profiling is the process of automatic processing by the Controller of information regarding you, including Personal Data, such as age, gender, interests, correspondence address or preferences regarding specific products or services whose marketing is conducted by the Controller. This process is used to build your profile and analyse this profile. For profiling purposes, the Administrator uses Personal Data provided by you directly, as well as Personal Data regarding, for example, your activity on the investment website, collected using cookies and data obtained from external sources, e.g. Facebook. The Controller ensures that the collection and use of Personal Data takes place without undue interference with your privacy.
- You can be the addressees of marketing activities that will be based on statistical data that are not Personal Data. This means that visitors to the Controller’s website may be shown advertising content regarding the Controller’s investment while visiting other websites.
- All persons cooperating with the Controller are obliged to process Personal Data in accordance with applicable regulations and in accordance with the Security Policy established by the Controller, the IT System Management Manual, as well as other internal documents and procedures related to the processing of personal data.
- The following, in particular, shall be considered as a violation or attempted violation of the principles of processing and protection of Personal Data:
- breaches of security of IT systems in which Personal Data are processed, if processed in such systems;
- providing or enabling access to Personal Data to unauthorized persons or entities;
- failure, even inadvertently, to fulfil the obligation to protect Personal Data;
- failure to comply with the obligation to keep personal Data confidential and to secure them;
- processing of Personal Data not in accordance with the assumed scope and purpose of their collection;
- causing damage, loss, uncontrolled alternation or unauthorized copying of Personal Data;
- violation of the rights of persons whose Personal Data is processed.
- The obligations of the Data Controller regarding the employment, termination or amendment of the employment conditions of employees or associates (persons undertaking activities for the Data Controller under other civil law contracts) include ensuring that:
- employees are properly prepared to perform their duties;
- each of the processors of Personal Data is authorized in writing to processing in accordance with the “Authorization to process personal data”;
- every employee has undertaken to keep Personal Data processed confidential.
- Employees are required to:
- comply strictly with the scope of authorization granted;
- process and protect Personal Data in accordance with regulations;
- keep personal Data and the manner of securing them confidential;
- report incidents related to breach of Data security and system malfunction.
- If a breach of the protection of Personal Data is found, the Controller shall asses whether the breach may have caused the risk of violating the rights or freedoms of natural persons.
- In every situation where the breach may have caused the risk of violation of the rights or freedoms of natural persons, the Controller shall report the breach of the Personal Data protection principles to the supervisory body without undue delay – if feasible, no later than within 72 hours after finding the breach.
- If the risk of violation of rights and freedoms is high, the Controller shall also notify the data subject about the incident.
- The Data Controller on its website, like other entities, may use the so-called cookies, i.e. short text information saved on a computer, telephone, tablet or other user’s device. They can be read by the Controller’s system, as well as by systems belonging to other entities whose services are used by the Controller.