The Policy is for information purposes and serves satisfaction of information obligations imposed on the data controller under the General Data Protection Regulation, i.e. GDPR
§ 1 PERSONAL DATA CONTROLLER
- The Controller of the personal data processed within the Application and the Website, entered therein under the Agreement, in particular the Users’ personal data, is the Client, i.e. the entity using the Application subject to paragraph 1.2. below.
- The Controller of the personal data of the Clients themselves, i.e. personal data related to the conclusion of agreements for the provision of services by electronic means, data related to subscription to commercial information, data related to complaints and backups of such data, is the Service Provider, i.e. inEwi sp. z o.o. with its registered office in Bielsko-Biała, ul. 1 Maja 15, 43-300 Bielsko-Biała, entered in the register of entrepreneurs of the National Court Register (KRS) under number KRS: 0000456957, Tax Identification Number NIP: 5472146245, National Business Registry Number REGON: 243231027, share capital in the amount of PLN 151,000.
- The Data Controller has appointed a Data Protection Officer (DPO) to ensure the processing of personal data in compliance with the laws and security rules. The DPO (Piotr Kania) may be contacted via the e-mail address: [email protected].
§ 2 PURPOSES, BASES, SCOPE AN TERM OF PERSONAL DATA PROCESSING
- The Service Provider processes the following categories of the Client's personal data: first and last name, business name, Tax Identification Number NIP, address, e-mail address, IP address, geolocation.
- The Service Provider, as the Data Controller, may process the following categories of personal data of the Users: first and last name, e-mail address.
- The individual purposes and bases for processing the personal data of the Clients and Users are presented below, along with the scope of data processed for individual purposes and the period for which the data will be processed (purpose; scope of data; legal basis; processing period).
- In the scope in which the Service Provider is the Controller of the data of the Clients and Users, the Service Provider does not take any activities that constitute profiling, including automated decision-making with respect to the Clients and Users.
- The Service Provider informs that the provision of personal data by the Client is voluntary, whereby if the Client refuses to provide personal data, it will not be possible to conclude the Agreement, provide the Services and take any other actions.
§ 3 RECIPIENTS OF PERSONAL DATA
- The Service Provider may transfer the personal data of the Clients and Users to third parties for further processing. The recipients of personal data include: an accounting company, a hosting provider for the Website, a company providing technical support for the Website, a company handling payments, a company providing a CRM system. Personal data may also be disclosed to: competent state authorities upon their request on the basis of the relevant legal provisions or other persons and entities – in the cases prescribed in the legal provisions.
- The personal data of Clients and Users will not be transferred to third countries (i.e. beyond the European Economic Area).
§ 4 CLIENT AS THE PERSONAL DATA CONTROLLER
- The Client will process the personal data with respect to which he/she is the Data Controller in the Application for the purpose of employment (on the basis of both an employment contract and other civil-law contracts) and HR matters, in the scope and for the term necessary for the employer to fulfil its obligations under the Labour Code or other acts related to the conclusion of other civil-law contracts.
- The Client has transferred to the Service Provider the processing of all personal data provided to the Service Provider within the Account, in particular referring to the Users, for the term of the Agreement, unless there is another legal basis for their further processing.
- Upon the Client’s consent, the Service Provider will further transfer personal data for processing, which will consist in their storage, to entities that guarantee the level of security of personal data processing as required by the provisions of the GDPR.
- The terms of the processing of personal data by the Service Provider on behalf of the Client have been established in a separate agreement (personal data transfer agreement) concluded between these entities.
§ 5 SECURITY OF PROCESSING
- The Service Provider declares that as the Data Controller and the Processor of personal data upon order of the Client he/she has taken all the necessary organisational and technical measures to secure the data sets as well as the security of processing as prescribed in Articles 25, 30, 32-34, 35-39 of the GDPR.
- Access to information that is personal data on the part of the Service Provider is granted only to persons authorised to administer the Website on the basis of granted authorisations including declarations of confidentiality with respect to the processed data and the applied safeguards. Files containing web server logs may be analysed for the purposes of preparing statistics concerning traffic on the Website and occurring errors.
§ 6 RIGHTS OF DATA SUBJECTS
- The Service Provider informs that the Users whose personal data are controlled by the Service Provider have the right to inspect their data processed by the Service Provider and the right to correct such data, they also have the right to control the processing of the data referring to them contained in the data sets, in particular the right to: (i) access their personal data, (ii) complete and correct their data by submitting a relevant request, (iii) request the temporary or permanent suspension of their processing or their deletion if they are incomplete, outdated, untrue or have been collected in violation of the Act or are no longer necessary for the purpose for which they were collected, (iv) object to the processing of their personal data and (v) request their deletion when they become unnecessary for the purpose for which they were collected.
- Furthermore, the Users have the right to: remove the collected personal data referring to them both from the system of the Service Provider and of the bases of the entities with whim the Service Provider has co-operated, object to the further data processing for marketing purposes, restrict the data processing, portability of the personal data referring to the Users collected by the Service Provider, including the right to receive them in a structured form, file an objection with the supervisory authority if a User states that his/her data are processed in violation of the law and to seek judicial remedy against the supervisory authority and the infringing entity.
- In the scope in which the Client is the Controller of the Users' data, he/she is responsible for the exercise of the Users' rights indicated in paragraphs 7.1. and 7.2. above. The Service Provider will immediately inform the Client of any claim raised by a User who is an employee of the Client.
§ 7 COOKIES AND OTHER SOFTWARE POLICY
- The Application uses, upon the Client’s consent and on the terms specified in paragraph 7.2., programs that monitor activity on the Users' screens and the number of clicks on given functions in order to adapt the Application interface to the Users’ needs more effectively. The indicated programs do not generate any personal data of the Users.
- The program mentioned in paragraph 7.3. above does not undertake any activities that involve the processing of personal data.