This document sets out the principles governing the protection of personal data for people who use the https://cybersecforum.eu service (hereinafter: Service).
The Controller is obliged to protect the privacy of Service Users. To this end, the Controller shall exercise best efforts to ensure that the Service User’s provided personal data is protected in relation to using the Service and participating in the Events.
The controller of your personal data is:
Stowarzyszenie Instytut Kościuszki with its seat in Kraków in ul. Wilhelma Feldmana 4/9-10, 31-130 Kraków, KRS: 0000145838, NIP: 675-130-29-92, REGON: 35668376000000 (hereinafter: Association).
THE BASIS AND PURPOSES OF PROCESSING
In the case of a contact in order to enter into a contract, we process your data to take action at your request before the conclusion of the contract, e.g. conduct negotiations or presenting an offer (legal basis: Art. 6 para 1 points b and f of GDPR). The data will be processed for a period necessary to act at your request. If the contract fails to be concluded, the data will be removed after this period, and if the contract is concluded, the data will keep being processed until the contract is fulfilled and the statute of limitation for claims stemming from the contract expires, on the basis of the Controller’s legitimate interest which is the defence against and pursuance of claims (Art. 6 para 1 points b and f of GDPR).
Should we enter into a contract with you, the data will be processed:
• in order to conclude and fulfil it (including but not limited to contacting you as regards its fulfilment, payment confirmation, rebate granting, goods delivery, notification sending about order completion) and pursuant to it (legal basis in Art. 6 para 1 point b of GDPR);
• in order to provide service by electronic means, in particular to retain a customer account in the shop (legal basis in Art. 6 para 1 point b of GDPR);
• in order to perform the customer complaint process and ensure correct customer service (legal basis in Art. 6 para 1 point b of GDPR);
• in order to perform legal obligations incumbent on the Controller, including tax obligations, duties arising from Civil Code regulations, GDPR regulations, VAT invoice issuance, complaint handling, information requirement compliance (legal basis in Art. 6 para 1 point c of GDPR);
• in order to archive (for evidentiary purposes), for preserving information in the case a legal need to demonstrate facts arises, on the basis of a legitimate interest pursued by the Controller (legal basis in Art. 6 para 1 point f of GDPR), this interest being documentation archiving;
• in order to establish, pursue, or defend against claims if need be, on the basis of a legitimate interest pursued by the Controller (legal basis in Art. 6 para 1 point f of GDPR), this interest being establishing, pursuing, or defence against claims in such a case;
• in order to conduct direct marketing of our own products and services by the Controller on the basis of a legitimate interest pursued by the Controller (legal basis in Art. 6 para 1 point f of GDPR);
• in order to pursue the aims you consented to. The basis of personal data processing is thus a voluntary, unequivocal, informed, and specific consent granted by the data subject. Hence, in the case of Event participation, the basis of processing for personal data such as one’s likeness will be your consent and a legitimate interest pursued by the Controller (legal basis in Art. 6 para 1 point a of GDPR in connection with Art. 81 of the Copyright and the Related Rights Act and Art. 6 para 1 point f of GDPR).
2. Commercial information
If you have granted consent to do so, your personal data will be processed in order to send commercial information on products and services, promotional offers, and deals on the basis of your consent and a legitimate interest pursued by the Controller, which is in this case direct marketing of one’s own products and services (legal basis in Art. 6 para 1 points a and f of GDPR).
3. Contact form
We process the data you input in the contact form in order to perform submission handling and answer questions on the basis of a legitimate interest pursued by the Controller (legal basis in Art. 6 para 1 point f of GDPR), which is in this case contacting customers and offering them answers to questions.
4. Conducting traditional and e-mail correspondence
In the case of your sending to the Controller e-mail or postal correspondence which is not related to service rendering or performance of another contract, the personal data contained therein is processed in order to process the request or enquiry put forward in the correspondence.
The basis for the processing in such a case is a legitimate interest pursued by the Controller (Art. 6 para 1 point f of GDPR), which lies in carrying on a correspondence and handling requests and enquiries in relation to the business activities performed. Providing personal data necessary to handle the request is mandatory.
5. Telephone contact
In the case you are contacted by telephone in matters that are not related to rendering services to you or performing another contract, the personal data you provided are processed in order to handle a request or enquiry submitted.
The basis of the processing in this case is a legitimate interest of the Controller (Art. 6 para 1 point f of GDPR), which lies in carrying on a correspondence and handling requests and enquiries in relation to the business activities performed. The Controller can require that you provide the data necessary for request handling, in which case the provision of such data is mandatory for request handling.
6. Contact by employees of the Contracting Party, Customer, or a third party
In the case you contact us by telephone or e-mail in relation to a contract that your employer entered into or actions taken at the employer’s request prior to entering into a contract, we process the data thus obtained in order to perform the contract concluded and to take action at request prior to entering into a contract (legal basis in Art. 6 para 1 point b of GDPR and because of the Controller’s legitimate interest which is to have the ability to contact the co-operating entities and their employees and contractors as needed (the basis in Art. 6 para 1 point f of GDPR) as well as pursue and defend against claims, which constitutes a legitimate interest of the Controller to defend its rights (the basis in Art. 6 para 1 point f of GDPR).
If you contact us regarding a matter other than the contract entered into, for instance to obtain information about the events, conferences, training sessions held, or statutory activities, we process your data in order to answer the question posed or to resolve the matter which you present. The basis for processing is a legitimate interest of the Controller that lies in answering the question posed or resolving the matter in connection with its business activities (legal basis in Art. 6 para 1 point f of GDPR).
7. Other bases for processing
Your data may also be processed for analytical and statistical purposes of gauging customer satisfaction, which is a legitimate interest of the Controller (legal basis in Art. 6 para 1 point f of GDPR).
If you are a member of the bodies of the Controller, we process your data in order to exercise supervisory and control rights and obligations as imposed by legal codes and statutes (legal basis in Art. 6 para 1 point c of GDPR), as well as for the proper functioning of the association on the basis of a legitimate interest pursued by the Controller (legal basis in Art. 6 para 1 point f of GDPR), which is in this case the proper functioning of the Association.
8. Communication via social networks
Social networks such as Facebook, X, and their ilk, are data processing Controllers for their users and process it pursuant to their own Regulations. When you contact us or take any action with the use of such social networks, in particular follow, react to posts, comment, send private messages, the Association start to be the Controller of your personal date in addition to the social networks. We process the data present in your profile (the name, surname, profile image among them) and other information sent in messages or comments on the basis of a legitimate interest of the Controller in order to answer the comments and messages and to maintain the relation with the uses who undertake the relevant actions (basis in Art. 6 para 1 point f of GDPR).
1. Data sharing and outsourcing the data processing
We may share your personal data with the entities we use to process them, in particular the companies providing services for goods delivery (couriers), handling the event registration processes and the processes necessary for notification sending, service providers that provide advertising and marketing services, as well as for the settlement of fees due. The Controller will also make your data available in situations when it is necessary due to an obligation incumbent on it. The Controller may make your personal data available to transaction parties in transactions concluded through the Service. The entities to which the GDPR applies, having obtained portal users’ personal data from the Controller, are obligated to discharge any and all obligations resulting from the GDPR and other legal provisions towards these users, including ensuring the exercise of the rights vested under the GDPR. The Controller can share the data stored in cookies with Trusted Partners in order to better assess the attractiveness of advertising and services to improve the overall quality and effectiveness of services provided by the said entities. The sharing of data stored in cookies is subject to the User’s consent. The recipient of the information stored in cookies is the hosting provider operating the web portal.
2. Data transfer to third countries or international organisations
The Controller may entrust the processing of personal data to a third country, namely outside the European Economic Area, and transfer the data to external entities cooperating with the Controller and acting on its behalf for the purposes described above.
Your personal data may be transferred outside the European Economic Area to:
• Alphabet Inc. with its seat in San Bruno, California in the United States, being the owner of an internet service available at the following address: www.youtube.com and having ties to Google LLC with its seat in Mountain View, California in the United States in relation to using the above portal and making available the recordings of the events, conferences, and webinars held
• X Corp. with its seat in San Francisco, California in the United States in relation to the Controller’s publishing of content on the www.twitter.com online portal
• LinkedIn Corporation with its seat in the United States in relation to the Controller’s publishing of content on the www.linkedin.com online portal
• Facebook with its seat in the United States in relation to the Controller’s publishing of content on the www.facebook.com online portal
• Instagram with its seat in the United States in relation to the Controller’s publishing of content on the www.instagram.com online portal
The Controller may also store your personal data in a location that is subject to a different jurisdiction than your place of residence or registered office.
In addition, some of our Trusted Partners may store service user data outside the EEA (European Economic Area).
Your data may thus be transferred outside the EEA. Such a situation can arise in connection with contracting the performance of certain services/actions from the entities based outside the EEA or processing data outside the EEA as well as from Partners, the entities the Controller co-operates with or empowers to act on its behalf for the purposes described above which are based outside the EEA or processing data outside the EEA. The personal data may only be transferred to such third countries (countries outside the EEA) or entities in the third countries, with regard to which the European Commission decision confirms a proper level of data
protection, the standard data protection clauses were included in the contracts, or other relevant protection measures were used, as set out in generally applicable provisions of law.
In relation with data transfer outside the EEA, you can request further information in this respect, obtain a copy of the safeguards, or information on where they are shared, vy contacting the Controller in the way indicated in this Policy.
DATA RETENTION DURATION
The period for which we may process your personal data depends on the legal basis constituting the legal prerequisite for personal data processing by the Controller. We will never process personal data for a period longer than the above-mentioned legal basis. Accordingly, we inform you that:
• where the Controller processes personal data on the basis of consent, the processing period lasts until your withdrawal of this consent
• where the Controller processes your personal data collected on the basis of your request to take action by the Controller prior to concluding a contract or other specific action, the processing period lasts for the time necessary to take the action at your request
• where the Controller processes personal data when it is necessary for contract performance, the processing period lasts until the possibilitý of either party asserting a claiḿ related to the contract ceases
• where the Controller processes personal data on the basis of a legitimate interest of the controller, the processing period lasts until the said interest ceases to exist (e.g. the limitation period for civil law claims) or until the moment when the data subject objects to further such processing – in the situations when such an objection is possible under the legal regulations
• where the Controller processes personal data because it is necessary by virtue of the applicable legal regulations, the periods of data processing for this purpose are determined by these regulations
We inform you that you have:
1. the right to access your data and to obtain its copy
2. the right to rectification (correction) of your data
3. the right to erasure
If, in your opinion, there is no basis for us to process your data, you can request that we delete them.
4. the right to restrict data processing
You may request that we restrict the processing of your personal data solely to storing them or carrying out activities agreed with you, if in your opinion we have incorrect data about you or are processing it with no legal basis; or you do not want us to erase it because you need it to establish, pursue, or defend legal claims; or for the duration of an objection you have submitted against data processing.
5. the right to object to the processing
The “marketing” objection. You have the right to object to the processing of your data for direct marketing purposes. If you exercise this right – we will cease to process your data for this purpose.
Objection on the grounds of a special situation. You have the right to object to the processing of your data on the basis of a legitimate interest for purposes other than direct marketing, and also if the processing is necessary for us to perform a task carried out in the public interest or for the exercise of official authority entrusted to us. You should then indicate to us your particular situation which, in your opinion, warrants our ceasing of the processing objected to. We will stop processing your data for these purposes unless we demonstrate that the basis for our processing of your data overrides your rights or that your data are necessary for us to establish, pursue, or defend legal claims.
6. the right to data portability
You have the right to receive from us, in a structured, commonly used machine-readable format (e.g. the .csv format), the personal data concerning you that you have provided to us on the basis of a contract or your consent. You may also instruct us to send this data directly to another entity.
7. the right to lodge a complaint with a supervisory authority
If you consider our processing of your data unlawful, you may lodge a complaint regarding this issue with the President of the Personal Data Protection Office in Poland (ul. Stawki 2, 00-193 Warszawa).
8. the right to withdraw your consent for personal data processing
You have the right to withdraw your consent to the processing of the personal data that we process on the basis of your consent at any time. The withdrawal of consent will not affect the lawfulness of the processing that was carried out on the basis of your consent before its withdrawal.
Should you wish to exercise the above rights, please contact us personally via traditional or electronic mail using the following details:
Stowarzyszenie Instytut Kościuszki with its seat in Kraków, ul. Wilhelma Feldmana 4/9-10, 31-130 Kraków;
(Monday–Friday from 9 am to 5 pm)
The Controller will provide an answer to the lodged claims no later than within a month of receiving it.
VOLUNTARY BASIS OF PERSONAL DATA SUBMISSION
The provision of data in connection with handling a request and a submitted enquiry by telephone, post or e-mail correspondence is necessary for the handling of the question, for answering it, and for the resolution of the matter, with failure to provide such data resulting in the impossibility of sending a response or settling the matter.
When you contact us to ask a question or indicate a matter to be settled, providing your data to enable us to contact you back is voluntary, but necessary to answer the question or resolve the matter presented.
Providing the data which is indicated as mandatory in the contact form is necessary for the handling of the question and the reply to the question, with failing to provide them making it impossible to send the enquiry.
Providing data in relation to concluding, rendering, and performing a contract is voluntary, but necessary for the proper service rendering and contract performance. The consequence of failing to provide such data will be the inability to conclude a contract.
We may also require that you provide data if it is necessary for discharging the legal obligations incumbent on us. In that case, the provision of data is mandatory.
Provision of data necessary to send commercial information on products and services, promotions and offers is voluntary, but necessary to send such information. Failure to provide such data makes it impossible to send commercial information on products and services, promotions, and offers.
The information we collect in relation to the use of our Services can be deployed in an automated manner (including in the form of profiling). We can engage in profiling activities for marketing purposes, i.e. adjusting the marketing offer to User’s preferences.
Our Partners can use targeting and profiling, in other words automated processing of personal data, which consists in such actions as using personal data to analyse or forecast personal preferences, interests, locations, behaviour.