- 1. Administrator – company under the name Projekt 12 – „Grupa Echo” Spółka z ograniczoną odpowiedzialnością – SKA in Kielce, 25-323, al. Solidarności 36, TAX identification number PL6572912018 (hereinafter referred to as “the Company” or “the Administrator”)
- Personal Data – information about a natural person identified or identifiable by one or more factors specific to physical, physiological, genetic, mental, economic, cultural or social identity, including including image, voice, contact information, location, correspondence, information collected through recording equipment or other similar technology.
- 3. Object – a mix-use project owned by the Administrator którego właścicielem jest Administrator.
- Data subject – a natural person to whom Personal Data processed by the Administrator relates.
- Policy – this is the present Personal Data Processing Policy.
- Employee – a natural person employed by the Administrator under an employment contract.
- GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.
- Associate – a natural person providing services to the Administrator on the basis of a civil law contract (e.g. contract of mandate, contract for specific work).
2. Processing of data by the Administrator
- In connection with their business activity, the Administrator collects and processes Personal Data in accordance with the relevant legal regulations, including in particular the GDPR, and the rules of data processing provided therein.
- The Administrator shall ensure transparency of personal data processing, and in particular shall always inform about the processing of data at the time of its collection, including the purpose and legal basis of the processing (e.g. when concluding a lease agreement). The Administrator shall ensure that the data is collected only to the extent necessary to achieve the indicated purpose and processed only for the period in which it is necessary.
- When processing Personal Data, the Administrator shall ensure its security and confidentiality and access to information on the processing of personal data by the persons to whom the data relates. Should a breach of personal data protection (e.g. “leakage” or loss of data) occur despite the security measures applied, the Administrator shall inform the data subjects about such an event in a manner compliant with the provisions of law.
3. Contact with the Administrator
- Contact with the Administrator is possible through the mailing address: al. Solidarności 36, 25-323 Kielce.
4. Security of Personal Data
- In order to ensure data integrity and confidentiality, the Administrator has implemented procedures allowing access to Personal Data only to authorized persons and only to the extent necessary for the performance of their tasks. The Administrator applies organizational and technical solutions to ensure that all operations on personal data are registered and performed only by authorized persons.
- The Administrator shall additionally take all the necessary measures to ensure that their subcontractors and other cooperating entities guarantee the application of appropriate security measures whenever they process Personal Data on behalf of the Administrator.
- The Administrator conducts an ongoing analysis of risks related to the processing of Personal Data and monitors the adequacy of data security measures applied to identified threats. Where necessary, the Administrator shall implement additional measures to enhance data security.
5. Purposes and legal basis of the processing
- E-mail and traditional correspondence
- In the case of sending to the Administrator e-mail or traditional correspondence not related to services provided to the sender, another agreement concluded with them or otherwise not related to any relationship with the Administrator, the Personal Data contained in this correspondence is processed solely for the purpose of communication and solving the matter to which the correspondence relates.
- The legal basis for the processing is the legitimate interest of the Administrator (Article 6(1)(f) of the GPPR), consisting in conducting correspondence addressed to them in connection with their business activity.
- The Company shall only process Personal Data relevant to the matter to which the correspondence relates. All correspondence is stored in a manner ensuring the security of Personal Data (and other information) contained therein and disclosed only to authorized persons.
- Phone contact
- In case of contacting the Administrator by phone, in matters not related to the concluded agreement or provided services, the Administrator may request the provision of Personal Data only if it is necessary to handle the matter to which the contact relates. In such a case, the legal basis is the legally justified interest of the Administrator (Article 6(1)(f) of the GDPR), consisting in the necessity to resolve a reported matter related to their business activity.
6. Transmission of data outside the EEA
- The level of protection of Personal Data outside the European Economic Area (EEA) differs from that provided by European law. For this reason, the Administrator transfers Personal Data outside the EEA only when necessary and with an adequate level of protection, in particular through:
- cooperation with entities processing Personal Data in the countries in relation to which an appropriate decision of the European Commission has been issued concerning the determination of the appropriate level of protection of Personal Data;
- the use of standard contractual clauses issued by the European Commission;
- the application of binding corporate rules approved by the relevant supervisory authority;
- in case of data transfer to the US – cooperation with entities participating in the Privacy Shield programme, approved by means of a decision of the European Commission.
7. Period of processing of Personal Data
- The period of the Administrator’s data processing depends on the type of service provided and the purpose of processing. The period of data processing may also result from the law, when it constitutes the basis for the processing. In the case of processing on the basis of a legitimate interest of the Administrator (e.g. for security reasons), the data shall be processed for a period sufficient to enable the exercise of such interest or to object to the processing in an effective manner. If the processing is based on consent, the data shall be processed until the withdrawal of consent. Where processing is based on a necessity for the conclusion and performance of a contract, the data shall be processed until the termination of the contract.
- The period of processing may be extended where processing is necessary for the establishment or enforcement of claims or for defense against claims, and thereafter only if and to the extent required by law.
8. Rights relating to the processing of personal data
- The rights of data subjects
- Data subjects shall have the following rights:
- the right to be informed about personal data processing – on this basis the Administrator shall provide the natural person making the request with information on data processing, including in particular the purposes and legal grounds for the processing, the scope of data held, entities to whom the data is disclosed, and the planned date of data deletion;
- the right to obtain a copy of the data – on this basis the Administrator shall provide a copy of the data processed concerning the natural person making the request;
- the right to rectify – the Administrator is obligated to remove any incompatibilities or errors in the processed Personal Data and to complete it if it is incomplete;
- the right to delete data – on this basis it is possible to demand the deletion of data whose processing is no longer necessary for the fulfillment of any of the purposes for which it was collected;
- the right to limit the processing – in the case of such a request, the Administrator shall cease carrying out operations on Personal Data – with the exception of those operations consented to by the data subject – and to store the data, in accordance with the accepted principles of retention or until the reasons for the limitation of data processing cease to exist (e.g. a decision of the supervisory authority allowing further processing is issued);
- the right to transfer the data – on that basis in so far as the data is processed automatically in connection with the conclusion of the contract or the consent given, the Administrator shall issue the data provided by the data subject in a format which is computer readable. It is also possible to request that such data be sent to another entity, however, provided that there are technical possibilities in this respect on the part of both the Administrator and the designated entity;
- the right to object to the processing for marketing purposes – the data subject may at any time object to the processing of personal data for marketing purposes, without having to justify such an objection;
- the right to object to other purposes of the processing – the data subject may object at any time, on grounds relating to his or her particular situation, to the processing of Personal Data carried out on the basis of the legitimate interest of the Administrator (e.g. for analytical or statistical purposes or for reasons related to the protection of property); the objection shall state the grounds on which it is based;
- the right to withdraw consent – if the data is processed on the basis of a consent given, the data subject has the right to withdraw the consent at any time, but this does not affect the lawfulness of the processing carried out prior to the withdrawal;
- the right to complain – in the case of finding that the processing of Personal Data violates the provisions of the GDPR or other provisions regarding the protection of Personal Data, the Data Subject may file a complaint with the authority supervising the processing of Personal Data, having jurisdiction over the place of the data subject’s habitual residence, place of work or place of the alleged violation. In Poland, the supervisory authority is the President of the Office for the Protection of Personal Data.
- Making demands in connection with the exercise of rights
- A request for the exercise of the rights of Data Subjects may be made in writing to the following address: al. Solidarności 36, 25-323 Kielce.
- If the Administrator is unable to identify a natural person on the basis of a request, they will request additional information from the applicant. The provision of such data is not obligatory, however, failure to provide such data will result in a refusal to fulfill the request.
- The request may be made in person or through a proxy (e.g. a family member). For reasons of data security, the Administrator encourages the use of a power of attorney in the form certified by a notary or authorized legal adviser or attorney, which will significantly speed up the verification of the authenticity of the request.
- A reply to the application should be given within one month of its receipt. If necessary, the Administrator shall inform the applicant of the reasons for this action.
- In the event that the request is addressed to the Company electronically, a response shall be given in the same form, unless the applicant has requested a response in another form. In other cases, answers shall be given in writing. If the deadline for meeting the request makes it impossible to answer in writing and the scope of the applicant’s data processed by the Administrator enables contact by electronic means, the answer should be given by electronic means.
- The Company shall maintain information regarding the request made and the person who made the request, in order to ensure that compliance can be demonstrated and to identify, defend or enforce any claims by data subjects. The register of requests shall be kept in such a way as to ensure the integrity and confidentiality of the data contained therein.
- Charging principles
- The application procedure shall be free of charge. Fees can only be charged in the case of:
- requesting a second and each subsequent copy of the data (the first copy of the data is free of charge); in such a case, the Administrator may demand the payment of a fee of PLN 30. The above fee includes the administrative costs associated with the execution of the request;
- reporting by the same person excessive (e.g. extremely frequent) or manifestly unjustified demands; in such a case, the Administrator may demand payment of a fee in the amount of PLN 30. The above fee includes the costs of communication and the costs associated with taking the required actions;
- In the event of a challenge to a decision imposing a charge, the data subject may lodge a complaint with the supervisory authority for the processing of personal data having jurisdiction over the place where the data subject is habitually resident, their place of work or where the alleged infringement has been committed. In Poland, the supervisory authority is the President of the Office for the Protection of Personal Data.
9.Changes in the personal data processing policy
- The policy is constantly reviewed and, if necessary, updated.