DATA PROCESSING SECURITY POLICY
CLICO Spółka z ograniczoną odpowiedzialnością with its registered office in Krakow, address: ul. Oleandry 2, 30-063 Krakow, registered at the District Court for Krakow-Śródmieście in Krakow, 11th Commercial Division of the National Court Register under KRS no. 0000107000, NIP (tax ID) 6770009678, with share capital of PLN 51,000.00.
- Data controller (“Data Controller”) is CLICO Spółka z ograniczoną odpowiedzialnością with its registered office in Krakow, address: ul. Oleandry 2, 30-063 Krakow, registered at the District Court for Krakow-Śródmieście in Krakow, 11th Commercial Division of the National Court Register under KRS no. 0000107000, NIP (tax ID) 6770009678, with share capital of PLN 51,000.00.
- Personal data are processed in accordance with the Personal Data Protection Act of May 10, 2018 and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”).
- The Data Controller collects and processes personal data which are necessary for marketing, statistical and reporting purposes.
- The Data Controller collects the following personal data: first name, last name, telephone number, e-mail address.
- The Data Controller collects and processes personal data which are necessary for the provision of services, and also for marketing, statistical and reporting purposes. The Data Controller collects personal data in particular for the following purposes:
– developing and presenting a marketing proposal,
– direct marketing of the Data Controller’s and third parties’ products and services,
– statistical and analytical purposes,
– exercising a right or meeting an obligation resulting from a legal provision, including issuing an invoice,
– performing an agreement, if the data subject is a party to the agreement; or if such processing is necessary to take required preliminary actions before concluding the agreement at the request of the data subject.
– achieving legally authorized objectives of the Data Controller or data recipients, if such processing does not violate the rights and freedoms of the data subject.
- The Data Controller collects customers’ personal data during:
- a) registration via website,
- b) registration by phone or e-mail,
- c) registration in writing, before or during a training course/conference or another event organized by the Data Controller.
- The Data Controller implements appropriate technical and organizational measures, in accordance with applicable law, to ensure maximum protection of the customers’ personal data. Personal data are processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorized access to or use of personal data and the equipment used for the processing. The Data Controller grants appropriate authorizations to persons who have access to personal data. In order to maintain security and prevent unlawful processing, the Data Controller performs risk assessment and implements measures which mitigate that risk. The implemented measures ensure appropriate level of security, including confidentiality, and take account of the state of the art. When assessing data security risk, the Data Controller takes account of the risk related to personal data processing – such as accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data which are transferred, stored or otherwise processed, which may lead to, without limitation, physical damage, property damage or other damage.
- The customers at any time have the right of access to and rectification or erasure of personal data or restriction of processing, the right to data portability, the right to object to processing, and the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. For that purpose, please send a request to: firstname.lastname@example.org, call 123783700 ext. 1121, or send a request by post to: ul. Oleandry 2, 30-063 Krakow. The Data Controller responds to the requests of data subject without undue delay, within one month, and if they do not intend to fulfill a given person’s request, they give reasons for refusal within that deadline. The Data Controller responds in the same form in which the request or question has been submitted.
- The Data Controller shall inform customers of processing their personal data in accordance with the transparency principle. The Data Controller makes sure that information about personal data protection is readily accessible, clear and understandable. In particular, the Data Controller informs data subjects about the identity of the Data Controller and the purposes of processing. The Data Controller provides any and all information necessary for ensuring reliable and transparent processing, taking account of specific circumstances and the specific context of personal data processing. That information may be provided electronically, e.g. through a website. The Data Controller informs the data subject whether the provision of personal data is mandatory, and about the consequences of failing to provide them. That information may be provided electronically, e.g. through a website. The Data Controller provides information about the processing of the data subject’s personal data at the moment of data collection.
- The Data Controller makes sure that the personal data being processed are adequate, appropriate and limited to that which is necessary for the purpose of their processing, and that their storage period is minimized.
- In order to prevent storing personal data longer than necessary, the Data Controller orders a periodic review once a year. As a result of the periodic review and ongoing management of personal data, the Data Controller takes action aimed at rectifying or erasing personal data which are incorrect or for which there are no grounds for further processing.
- Data are processed based on data subject’s consent or on other legitimate grounds provided by law, including to perform a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. Consent is expressed in a voluntary, unambiguous and precise manner.
- If the purpose of processing is to comply with a legal obligation to which the Data Controller is subject, or to perform a task carried out in the public interest or in the exercise of official authority vested in the Data Controller, the basis for the processing is European Union’s or Polish law.
- The Data Controller creates and maintains a Record of Processing Activities. In the Record of Processing Activities, the Controller indicates which data are being processed, from which data subject, for what purpose, for how long, at what location and with what security measures. Moreover, in the Record of Processing Activities, the Data Controller indicates who has access to personal data and on what basis they transfer data to third parties.
- The Data Controller indicates which legitimate interests of the Company indicate the possibility of transferring personal data within a group of companies, for internal administrative purposes. This also refers to processing personal data of customers or employees.
- In the case of processing for archiving, statistical purposes and for further processing of personal data, the Data Controller determines whether the processing operation complies with the law and the original purposes of processing. In such case, the Data Controller shall take into account the following aspects, without limitation: any connections between those purposes and the purposes of the intended further processing, context in which personal data have been collected, including without limitation reasonable grounds which allow data subjects to expect further use of data based on the type of their connection with the Data Controller, nature of personal data, consequences of intended further processing for data subjects and the existence of appropriate security measures both during the original processing and during the intended further processing.
- If personal data are to be revealed to a different recipient, the Data Controller informs the data subject about that fact upon revealing data to that recipient for the first time. If the Data Controller intends to process personal data for a purpose other than that for which it has been collected, the Data Controller shall inform the data subject about that other purpose and provide the data subject with other necessary information before further information processing.
- Data are transferred to third countries only in full compliance with GDPR. The Data Controller shall make sure that the terms and conditions of agreements with third countries include data protection model clauses adopted by the European Union.
- The Data Controller cooperates with relevant supervisory authorities with regard to any actions aimed at ensuring compliance with personal data protection law. The Data Controller shall cooperate with the supervisory authority and make the Record of Processing Activities available to the supervisory authority on request for the purposes of monitoring processing operations. The Data Controller makes submissions to supervisory authorities in the scope provided by law, including but not limited to GDPR.
- When a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controller communicates the personal data breach to the data subject without undue delay so as to enable them to take the necessary prevention measures. The communication shall describe the nature of the personal data breach and recommendations for the natural person concerning mitigating its possible adverse effects. Information is provided to data subjects as soon as reasonably possible, and if necessary – in close cooperation with the supervisory authority, observing guidelines provided by that authority or other competent authorities.
- The Data Controller takes the necessary measures to introduce appropriate provisions in agreements with third countries and cooperating entities, in order to ensure the security of personal data processing. For that purpose, the Data Controller periodically reviews relevant agreement provisions and indicates applicable clauses which meet legal provisions.
- The Data Controller reserves the right to amend this Personal Data Processing Security Policy.
- Any questions and doubts regarding the Personal Data Processing Security Policy may be directed to: email@example.com.
- This document has been approved by a resolution of the Company’s Management Board of May 24, 2018 and is effective from May 25, 2018.
- Cookies are IT data, including text files, which are stored on the Website user’s end device and are intended for using the Website’s web pages. Cookies usually include the name of the website from which they originate, storage period on the end device, and a unique number.
- Cookies are used for the purpose of:
– adjusting the content of the Website’s pages to the user’s preferences and optimizing the use of web pages; in particular, they make it possible to recognize the Website user’s device and appropriately display a web page, adjusted to their individual needs,
– creating statistics which help to understand how Website users use web pages, which makes it possible to improve their structure and content,
– providing data to third parties and redirecting users of third party Websites, including social media websites.
- The cookie files used by Clico Sp. z o.o. do not store any personal data of Website users.
- To collect general and anonymous static data via tools:
- a) analytical: Google Analytics [cookie administrator: Google Inc. based in the USA]
- b) e-marketing, which enable providing Users with advertising content more tailored to their interests: including Google AdWords [cookie administrator: Google Inc. with its registered office in the USA], Facebook [administrator of cookies: Facebook Inc. with its registered office in the USA], LinkedIn [cookie administrator: LinkedIn Corp. based in the USA].
- A user who visits the Website for the first time is asked for consent for the installation of cookies, which are enabled only if the user gives their consent. That process is implemented using a banner displayed on the Website’s homepage, which says that further viewing of a given web page is tantamount to consent for installing cookies on their device. The user may withdraw such consent at any time by changing browser settings which enable to block the saving of cookies, without any costs other than transmission costs according to standard tariffs. In the browser settings, the user may arrange that saving cookies is accepted only after the user expresses their consent. Clico Sp. z o.o. points out that withdrawing consent for saving and processing data by cookies is effective only on the computer and browser in which the respective settings have been selected.
- The User may change cookie settings at any time. Such settings may be changed in particular so that automated support of cookies in the web browser setting is blocked or information about every placement of cookies on the user’s device is displayed. Detailed information about the possibility and manner of cookies support is available in the software’s (web browser’s) settings.
- The user may change the terms of storing or receiving cookies by changing settings in the web browser: Internet Explorer, Mozilla Firefox, Chrome, Safari.