- Controller of the user data is the following entity: Instytut Biotechnologii Surowic i Szczepionek BIOMED Spółka Akcyjna, with registered seat at al. Sosnowa 8, 30-224 Kraków, NIP: 675 00 05 418, REGON: 000 28 80 24, KRS: 0000080810
- Data Controller can be contacted at the mailing address: al. Sosnowa 8, 30-224 Kraków and at the e-mail address: firstname.lastname@example.org;
Purposes, legal basis and period of data processing
- In order to provide the Website’s services, the service provider shall process:
- information about the device of the user in order to ensure the proper functioning of the services: computer’s IP address, information contained in cookies or other similar technologies, session data, browser data, device data, Website activity data, including particular subpages;
- geolocation information if the user has consented to the geolocation. Geolocation information is used to provide more customized product and service offers.
- This information does not contain user identity data, but may, in combination with other information, constitute personal data and is therefore subject to the full protection in connection with the GDPR.
- These data are processed in accordance with Article 6(1)(b) of the GDPR for the purpose of providing the Website’s services, i.e. a contract for the provision of services by electronic means, and in accordance with Article 6(1)(a) of the GDPR in connection with the consent to the use of certain cookies or other similar technologies expressed by the relevant settings of the Internet browser in accordance with the Telecommunications Act or in connection with the consent to geolocation. The data are processed until the end of the user’s use of the Website.
- In order to handle a complaint, the service provider processes personal data of users filing complaints, in particular their e-mail address, name, content of the complaint, information obtained in the course of the complaint, including the circumstances of the event giving rise to the complaint. In the course of complaint handling, the service provider may process a number of other information, including the name and surname of the user, information about the use of the service by the user, cookies or other similar technologies, information about devices.
- The data are processed in accordance with Article 6(1)(b) of the GDPR in order to provide services, i.e. a contract for the provision of services by electronic means, and are processed for the time necessary to handle the complaint and no longer than 3 months after the end of the complaint procedure for archiving purposes if necessary to defend against possible legal claims against the service provider in accordance with the information below.
Investigation, legal claim exercise
- In case of undertaking an investigation regarding a possible violation of law, principles of social coexistence or morality, proceedings in order to exercise legal claims by the Controller or other users or entities, defence against claims of users or other entities, the Controller may process personal data of specific users until the end of the ongoing proceedings and the expiry of limitation periods for Controller’s claims against the user, which usually amounts to 3 years in accordance with the Civil Code, unless a special provision provides otherwise.
- If personal data are processed in order to exercise claims of other users, the data may be made available for this purpose to another user or entity or to a public body authorised by law.
- This data are then processed, including made available in accordance with Article 6(1)(c) of the GDPR, i.e. in order to fulfil the obligation arising from the provisions of law concerning the obligation to handle complaints, pursuant to the Act on Providing Services by Electronic Means or pursuant to Article 6(1)(f) of the GDPR, i.e. in the legally justified interest of the Controller to pursue his or her claims against the user. Legally justified interest of the Controller shall then prevail over the rights and freedoms of the recipient of the service.
Statistics on the use of services
- The user may revoke his or her consent at any time by changing the settings of his or her browser as regards the admissibility of cookies or other similar technologies.
- The data are processed within the framework of the Controller’s current activities, but not longer than 60 days from receiving the information. After this time, the Controller may further process general statistical data, which will be deprived of any information concerning individual users.
- The period of availability of statistical data in Google Analytics and FreshMail tools provided by external providers of analytical solutions may be longer than 60 days, and this is beyond the Controller’s discretion.
Marketing and PR activities of the Controller
- The Controller may place marketing information about his products or services on the Website. Such content is displayed by the Controller in accordance with Article 6(1)(f) of the GDPR, in accordance with the Controller’s legitimate interest in publishing content related to the services provided and promotional content of campaigns in which the Controller is involved. At the same time, this activity does not violate the rights and freedoms of users.
- The Controller may also publish marketing information concerning products or services of its contractors. Such content is displayed by the Controller in accordance with Article 6(1)(f) of the GDPR, in accordance with the Controller’s legitimate interest in marketing the products or services of its contractors.
- The user has the right to object to the processing of his or her personal data for marketing purposes.
Recipients of users’ data
- The Controller shall disclose personal data of users only to entities processing personal data under the concluded agreements to entrust the processing of personal data in order to provide services for the Controller, e.g. website hosting and maintenance, IT services, marketing and PR services, legal and advisory services.
- The data will not be made available and processed in third countries.
Rights of data subjects
- Every data subject has the right to:
- receive access – obtaining confirmation from the Controller whether or not his or her personal data are being processed. If personal data are processed, he or she is entitled to access them and obtain the following information: about the purposes of processing, categories of personal data, recipients or categories of recipients to whom the data have been or will be disclosed, about the period of data storage or the criteria for determining it, about the right to demand rectification, erasure or restriction of personal data processing to which the data subject is entitled, and to object to such processing (Article 15 of the GDPR);
- receive a copy of the data – to obtain a copy of the data undergoing processing, the first copy being free of charge, but the Controller may charge a reasonable fee for any further copies, based on administrative costs (Article 15(3) of the GDPR);
- rectification – to request rectification of inaccurate personal data relating to him or her, or to complete incomplete data (Article 16 of the GDPR);
- erasure – to request the erasure of his or her personal data if the Controller no longer has a legal ground for their processing or if the data are no longer necessary for the purposes of the processing (Article 17 of the GDPR);
- restriction of processing – to request that the processing of personal data be restricted (Article 18 of the GDPR) when:
- the data subject questions the accuracy of the personal data – for a period allowing the controller to verify the accuracy of the data;
- the processing is unlawful and the data subject opposes the erasure of the personal data, requesting a restriction of their use;
- the Controller no longer needs these data, but they are required by the data subject for the establishment, exercise or defence of his or her legal claims;
- the data subject has objected to the processing – until it has been established whether the legitimate grounds of the Controller override those of the data subject;
- data portability – to receive the personal data in a structured, commonly used, machine-readable format, which he or she has provided to the Controller, and to request transmission of such data to another controller if the data are processed on the basis of the data subject’s consent or a contract with the data subject, and if the data are processed in an automated manner (Article 20 of the GDPR);
- object – to object to processing of his or her personal data for legitimate purposes of the Controller, for reasons related to his or her special situation, including profiling. The Controller shall assess the existence of important, legitimate grounds for processing, overriding the interests, rights and freedoms of the data subjects or for the establishment, exercise or defence of legal claims. If, according to the assessment, the interests of the data subject are more important than the interests of the Controller, the Controller shall be obliged to stop processing the data for these purposes (Article 21 of the GDPR);
- withdraw consent at any time and without giving any reason, but the processing of personal data carried out before the withdrawal of consent will continue to be lawful. Withdrawal of consent will cause the Controller to stop processing the personal data for the purpose for which the consent was given.
- In order to exercise the aforementioned rights, the data subject should contact the Controller using the contact details provided and inform them of the right he or she wishes to exercise and to what extent.
President of the Personal Data Protection Office
The data subject has the right to file a complaint with the supervisory authority, which in Poland is the President of the Personal Data Protection Office with registered seat in Warsaw, ul. Stawki 2, which may be contacted in the following manner:
- by post: ul. Stawki 2, 00-193 Warszawa;
- through the electronic inbox available on the website: https://www.uodo.gov.pl/pl/p/kontakt
- on the phone: (22) 531 03 00.
Data Protection Officer
In any event, the data subject may also directly contact the Controller’s Data Protection Officer:
- by e-mail: email@example.com
- to the contact address indicated above with an annotation: Inspektor Ochrony Danych [Data Protection Officer].
- GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – OJ L 119, 2016, p. 1; amended by: OJ L 127, 2018, p.2);
- Polish Civil Code (i.e. Dz. U. [Polish Journal of Laws] of 2018, item 1025, amended by: Dz. U. [Polish Journal of Laws] of 2018, item 1104);
- Act of 18 July 2018 on Providing Services by Electronic Means (i.e. Dz. U. [Polish Journal of Laws] of 2017, item 1219 as amended);
- Act of 16 July 2004 – Telecommunications Act (i.e. Dz. U. [Polish Journal of Laws] of 2017, item 1907 as amended)