1.1. Controller or Company or ISEC – „ISEC” Sp. z o. o., with its registered office in Warsaw (postal code: 00-680), at Poznańska 13/3 Street, entered into the Register of Entrepreneurs of the National Court Register, maintained by the District Court for the Capital City of Warsaw, XII Commercial Division under number 0000336558; NIP 8992679469; shared capital PLN 100.000,00.
1.2. Personal Data – any information about a natural person, identified or identifiable by one or several factors defining his/her physical, physiological, genetic, psychic, economic, cultural or social identity, including the IP of the device, location data, online identifier and information collected through cookie files and other similar technologies.
1.3. Client – an entity which commissions the Company to provide services requiring processing of Personal Data.
1.4. Data subject – any natural person whose Personal Data are processed by the Controller.
1.6. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data and repealing Directive 95/46/EC.
1.7. Website – an online service run by the Controller at the address: https://isec.pl/.
1.8. User – any natural person visiting the Website or using one or more services or functionalities described in the Policy.
2. DATA PROCESSING IN CONNECTION WITH THE USE OF THE WEBSITE
2.1. In connection with the User’s use of the Website, the Controller collects data with the scope necessary to provide its respective services and collects information about the User’s activity on the Website. The detailed rules and purposes of processing the Personal Data collected during the use of the Website by the User are described below.
3. PURPOSES AND LEGAL BASIS OF DATA PROCESSING AT THE WEBSITE
USE OF THE WEBSITE
3.1. Personal Data of all the persons using the Website (including the IP address or other identifiers and information collected through cookie files and other similar technologies) are processed by the Controller:
3.1.1. to provide services electronically to provide Users with an access to the content collected on the Website – in this case, the legal basis for the processing is that processing is necessary for the performance of a contract (Article 6(1)(b) of GDPR);
3.1.2. for analytical and statistical purposes – in this case, the legal basis for the processing is the legitimate interest pursued by the Controller (Article 6(1)(f) of GDPR) to analyze the activity of Users and their preferences in order to improve the functionalities used and the services provided;
3.1.3. to determine and pursue possible claims or defend against claims – the legal basis for the processing is the legitimate interest pursued by the Controller (Article 6(1)(f) of GDPR) to protect its rights.
3.2. Activity of a User on the Website, including his/her Personal Data, is recorded in system logs (a special computer program for storing a chronological record of information about events and actions concerning the IT system used for providing services by the Controller). The information collected in logs is processed mainly for purposes related to the provision of services. The Controller also processes the information for technical, administrative purposes and in order to ensure security of the IT system and to manage the system and also for analytical and statistical purposes – in this respect, the legal basis for the processing is the legitimate interest pursued by the Controller (Article 6(1)(f) of GDPR).
3.3. The Controller ensures technical solutions for contacting it, including for the purpose of the Controller’s presentation of an offer concerning its services, using electronic forms. Using the form requires that Personal Data be provided, which is needed to contact the User and answer his/her submitted request for proposal. The User may also provide other data to submit a request for proposal, facilitate contact or handle the application. Provision of data marked as mandatory is required to accept and handle an inquiry, and the failure to provide them makes it impossible to handle it. Provision of other data is voluntary.
3.4. Personal Data are processed:
3.4.1. to identify the sender and handle his/her request for proposal sent by the provided form – the legal basis for the processing is the necessity of the processing to perform a contract for providing a service (Article 6(1)(b) GDPR) and with respect to the provision of optional data – the legal basis for the processing is consent (Article 6(1)(a) of GDPR);
3.4.2. for analytical and statistical purposes – the legal basis for the processing is the legitimate interest pursued by the Controller (Article 6(1)(f) of GDPR) to perform analyses of the inquiries made by Users through the Website to enhance its functionalities.
4. SOCIAL MEDIA
4.1. The Controller processes Personal Data of Users who visit the Controller’s profiles on the LinkedIn.com and Twitter.com social networking sites. The data are processed only in connection with maintaining the profile, also in order to inform the Users about the Controller’s activity and promote various events, services and products. The legal basis of the Personal Data processing by the Controller for the above purpose is the Controller’s legitimate interest (Article 6(1)(f) of GDPR) to promote its own brand.
5. COOKIES AND SIMILAR TECHNOLOGIES
5.1. Cookies are small text files installed on the device of a User browsing the Website. Cookies collect information to facilitate using a Website, e.g. by remembering the User’s visits at the Website and actions performed by him or her.
5.2.1. user input cookies – cookies with data entered by the User (session identifiers) stored for the duration of a session;
5.2.2. user interface customization cookies – persistent cookies used to personalize the User’s interface for the duration of a session or slightly longer.
6. ANALYTICAL TOOLS USED BY THE CONTROLLER
6.2. The Controller uses Google Analytics service to analyse how the User uses the Website as well as to compile statistics and reports about the operation of the Website. Google does not use the data collected to identify a User and neither does it combine any information items to make such an identification possible. Detailed information on the scope and rules of collecting data in connection with the service can be found at: https://www.google.com/intl/pl/policies/privacy/partners.
7. MANAGEMENT OF COOKIES SETTINGS
7.1. The usage of cookies in order to collect the data, as well as gaining access to the data stored in the User’s device, requires his/her prior consent. The User may withdraw his/her consent at any given time.
7.2. In case of cookies which are necessary to the provision of telecommunication service (data transmission in order to display content) the consent is not required.
8. PROCESSING PERSONAL DATA OUTSIDE THE DIGITAL WORLD
8.1. In connection with the conducted business activity, ISEC collects and processes Personal Data in compliance with relevant laws, especially the GDPR and the data processing principles provided therein.
8.2. In case ISEC processes data on its own behalf, the Company ensures transparency of data processing, in particular by always informing about data processing at the moment of their collection, including the purpose and legal basis of the processing, e.g. while entering into a contract for the sale of goods or services. The Controller makes every effort to collect data only to the extent necessary for the indicated purpose and process them only as long as it is necessary.
8.3. In principle, the services provided by ISEC do not require the processing of Personal Data for and on behalf of its Clients. However, if necessary, ISEC will process the data according to the Client's instructions, in particular, it will apply the safeguards required by the Client.
8.4. While processing Personal Data, ISEC ensures their security and confidentiality and an access to information about the processing to the Data subjects. If, in spite of the applied security measures, there is a Personal Data breach (e.g. a data leak or loss), the Controller shall accordingly inform Data subjects or its Client about the event in compliance with applicable laws and regulations.
9. PURPOSES AND LEGAL BASIS OF PROCESSING OUTSIDE THE DIGITAL WORLD
EMAIL AND TRADITIONAL CORRESPONDENCE
9.1. If ISEC receives correspondence, by email or traditional mail, unconnected with the services provided for the sender or another agreement executed with them, the Personal Data found in the correspondence shall be processed only for the purpose of communicating and resolving the issue which is the subject of the correspondence.
9.2. The legal basis for the processing is the Controller’s legitimate interest (Article 6(1)(f) of GDPR) to carry on correspondence sent to it in connection with its business activity.
9.3. ISEC processes only the Personal Data relevant to the issue that the correspondence is about. All the correspondence is stored so as to ensure security of the Personal Data (and other information) found therein and disclosed only to authorized persons.
CONTACT BY PHONE
9.4. In case of contacting ISEC by phone, for issues unconnected with the contract or the provided services, the Company may only request Personal Data if this is necessary to handle the issue to which the contact relates. In such a case, the legal basis is the Controller's legitimate interest (Article 6(1)(f) of GDPR) to resolve the issue related to its business activity.
9.5. Within recruitment processes, ISEC expects provision of Personal Data (e.g. in a CV or a resume) only to the extent defined in the labour law. Accordingly, no wider range of information should be provided. If the submitted applications contain additional data, which exceed the scope set forth under provisions of the Polish Labour Code processing of such data will be based on the consent of a candidate (Article 6(1)(a) of GDPR), expressed by a clear affirmative action, i.e. submitting his/her application to the Controller. If the sent applications include additional however inadequate data with regards to the recruitment process, those will not be used or taken into consideration in the recruitment process.
9.6. Personal Data are processed:
9.6.1. should an employment contract be desired – processing is necessary for compliance with a legal obligation related to recruitment issues, including in particular provisions of the Polish Labour Code – the lawful ground for processing is derived from a legal obligation imposed upon the Controller (Article 6(1)(c) of GDPR in connection with provision of applicable labour laws);
9.6.2. should a civil contract be desired – in order to run recruitment process – processing the data contained in the application documents is necessary in order to take steps at the request of the Data subject prior to entering into a contract (Article 6(1)(b) of GDPR);
9.6.3. to run a recruitment process with regard to data not required by law or the Controller and also for the purpose of future recruitment processes – the legal basis for the processing is an individual’s consent (Article 6(1)(a) of GDPR);
9.6.4. to establish or pursue possible claims by the Controller or defend against such claims by the Controller – the lawful ground for the processing is the legitimate interest pursued by the Controller (Article 6(1)(f) of GDPR).
9.7. To the extent that Personal Data is processed on upon a consent, this consent may be withdrawn at any time without affecting the lawfulness of processing based on consent before its withdrawal. Should a consent for the purposes of future recruitment processes be given, Personal Data are deleted after two years – unless such consent is withdrawn beforehand.
PROCESSING CONTRACTORS’ STAFF MEMBERS OR CLIENTS’ PERSONAL DATA COOPERATING WITH ISEC
9.8. Given the conclusion of commercial contracts as part of the Controller’s business activity, the Controller collects from contractors / Clients Personal Data of persons involved in enforcement of such contracts (e.g. persons authorized to contact, place orders, execute orders etc.). The scope of the provided data is in any and every case limited to the necessary minimum for the performance of the contract and usually does not include other information than full name and business contact details.
9.9. Such Personal Data are processed in order to pursue the Controller’s legitimate interest and its contractor (Article 6(1)(f) GDPR), which allows correct and efficient performance of the said contract. The data may be disclosed to third parties involved in the performance of the contract.
9.10. The data are processed for the period necessary to pursue the above-mentioned interests and fulfil the obligations resulting from the applicable laws.
DATA COLLECTION IN OTHER CASES
9.11. In connection with the conducted business activity, ISEC collects Personal Data also in other cases, e.g. by enhancing and benefitting from long-term mutual business contacts (networking) during business meetings, at business events or by exchanging business cards, for purposes connected with initiating and maintaining business contacts. The legal basis for the processing in such a case is the Controller’s legitimate interest (Article 6(1)(f) of GDPR) involving building a network of contacts in connection with its business activity.
9.12. The Personal Data collected in such cases are processed only for the purpose for which they were collected and the Company guarantees their appropriate protection.
10. DATA RECIPENTS
10.1. In connection with provision of services related to the operation of the Service, Personal Data will be disclosed only to vendors responsible for maintenance of IT systems.
10.2. In connection with the conduct of activities requiring processing outside the digital world, Personal Data are additionally disclosed to vendors responsible for equipment service, entities providing accounting services, banks or couriers.
10.3. The Controller reserves the right to disclose selected information items referring to the User to relevant authorities or third parties which will demand that they are provided such information pursuant to an appropriate legal basis and in compliance with prevailing laws.
11. TRANSFER OF DATA OUTSIDE THE EEA
11.1. The level of Personal Data protection outside the European Economic Area (EEA) differs from that guaranteed by the European law. For this reason, the Controller transmits Personal Data to places outside the EEA only when necessary and ensuring an adequate protection level, mainly by:
11.1.1. cooperating with Personal Data processors in the states with respect to which a relevant decision of the European Commission has been issued concerning the confirmation of an adequate level of protection of Personal Data;
11.1.2. application of standard contractual clauses issued by the European Commission;
11.1.3. application of binding corporate principles approved by the relevant supervisory authority;
11.1.4. if data is transferred to the US – cooperation with entities participating in the Privacy Shield program, approved by a decision of the European Commission.
11.2. At the data collection stage, the Controller always informs the User of the intention to transmit Personal Data outside the EEA.
12. PERSONAL DATA SECURITY
12.1. In order to guarantee data integrity and confidentiality, the Controller has implemented adequate procedures to safeguard Personal Data and conducts an ongoing risk analysis to ensure that Personal Data are processed in a secure manner, guaranteeing first of all that access to the data is provided only to authorized persons and only to the extent necessary for them to perform their tasks. The Controller makes sure that any operations on Personal Data are recorded and performed only by authorized employees or collaborators.
12.2. The Controller takes any necessary actions so that also its subcontractors and other cooperating entities guaranteed the application of appropriate security measures in each case when they process Personal Data on the Controller’s behalf.
13. PERIOD OF PERSONAL DATA PROCESSING
13.1. The period of data processing by ISEC depends on the type of provided service and the purpose of the processing. The data processing period may also follow the laws when these are the basis for the processing. If data are processed on the basis of the Controller’s legitimate interest, the data are processed for the period making it possible to satisfy the interest or until the Data subject has effectively objected against the data processing. If data are processed on the basis of a consent, the processing will be performed until the consent is withdrawn. If data are processed on the basis of the necessity to enter into and perform an agreement, the data will be processed until its termination.
13.2. The data processing period may be extended if processing is necessary to establish or pursue possible claims or defend against such claims and, after that time, only when and to the extent required by law. After the elapse of the processing period, the data are irreversibly deleted or anonymized.
14. CONTACT DATA
14.1. It is possible to contact ISEC by e-mail [email protected] or mailing address Poznańska 13/3, 00-680 Warszawa, Poland.
15. RIGHTS CONNECTED WITH PERSONAL DATA PROCESSING
RIGHTS OF DATA SUBJECTS
15.1. The following rights are vested in Data subjects:
15.1.1. right to information on Personal Data processing – on that basis, the Controller provides the person making the request with information about data processing, including first of all about the purposes and legal grounds for the processing, the scope of the data held, entities to which they are disclosed and the planned date for deleting the data;
15.1.2. right to receive a copy of the data – on that basis, the Controller provides a copy of the data processed to a person making the request;
15.1.3. right to rectification – the Controller is obligated to remove any non-compliance or errors in Personal Data processed and supplement them if they are incomplete;
15.1.4. right to erasure – on that basis, one may demand deleting the data whose processing is no longer necessary to achieve any of the purposes for which they were collected;
15.1.5. right to restriction of the processing – if such a request is made, the Controller stops performing any operations on the Personal Data, except for those to which the Data subject has given consent, and storing them in accordance with the adopted retention rules or until the reasons for restricting the processing disappear (e.g. the supervisory authority issues a decision permitting further data processing);
15.1.6. right to data portability – on this basis, to the extent that the data are processed in connection with an executed contract or given consent, the Controller delivers the data provided by the Data subject in a machine-readable format. Is it also allowed to request that the data are transmitted to another entity on condition, though, that both the Controller and the other entity have the technical capabilities to do so;
15.1.7. right to object to Personal Data processing for marketing purposes – the Data subject has the right to object at any time to Personal Data processing for marketing purposes without the obligation to justify such an objection;
15.1.8. right to object to data processing for other purposes – the Data subject – due to his/her extraordinary situation – may object at any time to Personal Data processing carried out on the basis of the Controller’s legitimate interest (e.g. for analytical or statistical purposes or for reasons connected with protecting property); such an objection should include a justification;
15.1.9. right to withdraw consent – if data are processed on the basis of a given consent, the Data subject may withdraw it at any time, which does not have, however, any effect on the lawfulness of processing based on consent before its withdrawal;
15.1.10. right to complaint – if the Data subject believes that the Personal Data processing breaches the provisions of GDPR or other Personal Data protection regulations, the Data subject has the right to lodge a complaint with the data protection supervisory authority competent for his or her habitual residence, place of work or place of the alleged violation. In Poland the supervisory authority is the President of the Personal Data Protection Authority.
NOTIFICATION OF REQUESTS ASSOCIATED WITH EXERCISING THE RIGHTS
15.2. A request about exercising the rights of Data subjects may be filed:
15.2.1. by letter to the address: Poznańska 13/3, 00-680 Warszawa, Poland;
15.3. If ISEC is unable to identify the person filing a request on the basis of the notification made, the Controller will ask the petitioner for additional information. Provision of such data is not mandatory, however failure to provide them will result in a request recognition refusal.
16.1. The Policy is verified on an ongoing basis and updated when needed. The present version of the Policy was approved and has been in force since 26 June 2020.