PERSONAL DATA PROCESSING POLICY (TRANSPARENCY POLICY)
WE/Data Controller: Yieldbird Spółka z o.o. with its seat in Warsaw, at ul. Czerska 8/10, 00-732 Warszawa, entered into the register of entrepreneurs by
the 13th Commercial Department of the District Court for the Capital City of Warsaw in Warsaw under No. KRS: 324436, NIP (tax number): 6792996939.
Personal data: any information relating to a natural person identified or identifiable by one or more particular factors specifying his/her physical, physiological, genetic, mental, economic, cultural or social identity, including image, voice recording, contact details, location data, information in communication, information collected through recording devices or any similar technology.
Policy: this Personal data processing / Transparency policy.
GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
Data subject: every natural person, whose personal data are processed by the Data Controller (for example our customers, individuals using our services, visiting our premises, communicating us).
DATA PROCESSING BY THE DATA CONTROLLER
Because of our business activity we collect and process personal data according to appropriate regulations, including but not limited to GDPR, and the data processing rules provided for therein.
We ensure the data processing transparency; particularly, we always communicate data processing once we collect data, including the purpose and the legal basis of the processing. We take care that data be collected only to the extent necessary to the prescribed purpose and processed only for the necessary period.
When processing data, we ensure data security and confidentiality and access to information that data are processed to data subjects. If, despite security measures being applied, a personal data breach occurs (for example, data leakage or loss), we communicate such an incident to data subjects in accordance with regulations.
CONTACT WITH THE DATA CONTROLLER
You can contact us at email@example.com or firstname.lastname@example.org or in writing at the address: ul. Czerska 8/10, 00-732 Warszawa. We have appointed the data protection officer – you can contact that officer at email@example.com in each personal data processing-related matter.
PERSONAL DATA SECURITY
In order to safeguard the data integrity and confidentiality, we have implemented procedures to give access to personal data to authorized persons only and only to the necessary extent, given the tasks they perform. We apply technical and organizational solutions to ensure all operations on personal data to be registered and conducted only by authorized persons.
In addition, we take any steps necessary for our subcontractors and other collaborating entities to guarantee that adequate security measures be applied in each case, when they process personal data as ordered by us.
We keep risks analysis on an ongoing basis; we monitor the adequacy of applied data security measures to the identified risks. If necessary, we implement additional measures to improve the data security.
PURPOSES AND LEGAL BASES OF DATA PROCESSING BY THE DATA CONTROLLER
E-mail and hard copy communication
If any e-mail or hard copy communication is sent to us, the personal data in it are processed only for communication and dealing with the matter the communication concerns or any related affairs.
The legitimate interest of the Data Controller (Article 6.1.f of GDPR) consisting in communication addressed to the Data Controller in reference to Controller’s activity is the legal basis of processing.
We process only the personal data needed for the case the communication concerns. The entire communication is stored in the way safeguarding security of both the data contained in it and other information, and it is disclosed to authorized persons only.
In the case of phone contact we may request personal data only if this is necessary to deal with the matter the contact refers to. In such case, the legitimate interest of the Data Controller (Article 6.1.f of GDPR) consisting in the need to deal with the communicated matter relating to the conducted activity.
Phone conversations may be also recorded (we communicate this at the beginning of the conversation), in order to deal with the matter, verify the consultants’ work and the quality of rendered service, as well as for statistical objectives. Recordings are available only to a limited circle of persons.
Personal data in the form of a recorded phone conversation are processed for the purposes:
- connected with providing services to customers through the hotline, if the Data Controller makes such hotline service available – the need to process personal data to provide that service is the legal basis of processing (Article 6.1.f of GDPR);
- of monitoring the quality of service and the verification of work of hotline consultants – the legitimate interest of the Data Controller (Article 6.1.f of GDPR) consisting in taking care of the highest level services for customers is the legal basis of processing
- of potential pursuing or defending against claims relating to the matter, in which you contact us (Article 6.1.f of GDPR).
As regards recruitment, we expect personal data (for example in a CV or a resume) to be provided to us only to the extent specified in labor law regulations. Therefore, wider information does not have to be provided. If applications sent to us include such additional data, this information will be neither used nor taken into account in the recruitment process or for any other purpose.
Personal data are processed for the following purposes:
- performance of obligations provided for by law, relating to the employment process, first of all under the Labor Code – according to Article 6.1.c of GDPR in connection with Labor Code provisions;
- running recruitment process with regard to data not required by law and also for the needs of recruitment in the future – according to Article 6.1.a of GDPR in connection with Labor Code provisions;
- finding or pursuing claims, if any, or defending against such claims – according to Article 6.1.f of GDPR in connection with the Labor Code.
Collecting data because of providing services or performance of other contracts
In the case of collecting data for the needs of performance of a specific contract, we provide the data subject with detailed information concerning the processing of his/her personal data, not later than at entering into the contract.
Collecting data in other cases
Because of our business activity, we also collect personal data for instance at business meetings, industry events or exchanging business cards – for the purposes related to making and keeping business contacts. In such case, the legitimate interest of the Data Controller (Article 6.1.f of GDPR) consisting in establishing the contact network because of our business activity is the legal basis of processing.
Personal data collected in this way are processed only for the purpose, for which they have been collected, safeguarding appropriate data protection.
Since we are running business, which requires personal data processing, data may be disclosed to external entities, including those providing IT systems- and hardware-related services, legal or accounting services, courier services, marketing or recruitment agencies. Data are disclosed also to our affiliates, including the company Agora.
Potential disclosure or providing personal data to authorities with jurisdiction or to third parties, who communicate their demand of such information, may take place only basing on appropriate legal basis and in accordance with law in force.
DATA TRANSFER BEYOND THE EUROPEAN ECONOMIC AREA
The level of personal data protection beyond the European Economic Area (EEA) is different to that ensured by the Community law. Therefore, the Data Controller transfers personal data beyond EEA only, if this is necessary and safeguarding the adequate level of protection, first of all by way of:
- cooperation with entities processing personal data in the countries, in reference to which a respective decision of the European Commission has been issued;
- applying standard contractual clauses laid down by the European Commission;
- applying binding corporate rules approved by the supervisory authority having jurisdiction;
- if transferring data to the US – cooperation with entities taking part in the Privacy Shield program approved by the decision of the European Commission.
The Data Controller always communicates the intention of transferring personal data beyond EEA at the stage of collecting data.
PERSONAL DATA PROCESSING PERIOD
The personal data processing period depends on the purpose of processing. In addition, it may result from regulations, if they are the basis of processing. In the event of data processing based on the Data Controller’s legitimate interest, data are processed for the period making possible to exercise that interest or until an effective objection is made against the data processing. If the processing takes place basing on a consent, data are being processed until the consent is withdrawn. If the need to enter into and to perform a contract is the basis of processing, data will be processed until the contract is terminated.
The data processing period may be extended, if the processing is necessary in order to find, pursue or defend against claims, if any, and after that period, only in the event and to the extent legal regulations require doing so. Data are irretrievably erased or rendered anonymous after the data processing period elapses.
PERSONAL DATA PROCESSING-RELATED RIGHTS
Rights vested in data subjects
Data subjects have the following rights:
- Right to be informed on personal data processing – we communicate the personal data processing to someone, who demands such information; first of all, we communicate the purposes and legal bases of processing, the extent of data we are holding, the entities we disclose the data to and the scheduled time of data erasure;
- Right to obtain copy data – we give copy data concerning a data subject who demands so;
- Right to rectification – on demand of a data subject we erase discrepancies or errors, if any, in the personal data being processed, and we complete the data, if incomplete;
- Right to data erasure – the data, processing which is no longer necessary in relation to any of the purposes, for which they have been collected, may be demanded to be erased;
- Right to restriction of processing – in the case of such demand, we cancel both operations on the personal data and the data storage, until the reasons of the data processing restriction cease to exist (for example, a decision of a supervisory authority is issued permitting the data processing continuation);
- Right to data portability – to the extent the data are being processed by automated means or in relation to a contract or a given consent, we will release in the computer-readable format the data provided by a data subject before. These data may be also demanded to be transmitted to another entity, however provided that this is technically possible both on our part and on the part of that entity;
- Right to object against data processing for direct marketing purposes – you may object any time against processing your data for direct marketing purposes, with no need to provide any reasons of objection;
- Right to object against data processing for other purposes – a data subject may object any time against personal data processing for the reasons relating to his/her special situation – if we process his/her data on the basis of the Data Controller’s legitimate interest (namely according to Article 6.1.f of GDPR, e.g. for analytical or statistical objectives or for reasons relating to protection of his/her property). The objection against doing so should have the description of reasons;
- Right to withdrawal of consent – if the data are being processed on the grounds of a consent, the data subject has the right to withdraw the consent any time; this however does not affect compliance with law of the processing taking place before that consent has been withdrawn;
- Right to complaint – if it is considered that the personal data processing breaches GDPR or other personal data protection-related regulations, a data subject may lodge a complaint to the President of the Personal Data Protection Office.
Demands and motions with regard to your rights
You can lodge your motion/demand:
- in writing at: Czerska 8/10, 00-732 Warszawa;
- by e-mail at: firstname.lastname@example.org or email@example.com.
In order to make it easier to deal with your demand, please specify clearly, if possible, what your motion/demand concerns, for example:
- what right you would like to exercise (e.g. right to obtain copy data, right to erase data, etc.);
- what processing your demand concerns (e.g. use of a specific service, activity in a specific web service, obtaining a newsletter, etc.);
- what purposes of processing your demand concerns (e.g. marketing purposes, analytical purposes, etc.).
If we are unable to find the content of the demand or to identify who lodges the motion based on the notification, we will ask you for further information. The response to the notification should be given within one month after receiving it. If it is necessary to extend that period, we will inform you of the reasons of extension.
The response is in writing, unless the motion/demand has been made by e-mail or communication by e-mail has been demanded in it. In case of doubts as to the identity of someone lodging a demand by e-mail, we reserve the option of identity verification.
Rules of fees
The proceedings in matters of motions being lodged are free of charge. Fees may be collected only in the cases of:
- a demand of the second and each next copy data to be given (the first copy data are free of charge); in such an event we may demand payment of the
30 (thirty) zł fee;
This fee includes costs relating to the dealing with the demand.
- excessive (for example extremely often) or obviously unreasonable demands being made by the same person; in such an event we may demand payment of the 30 (thirty) zł fee;
This fee includes costs relating to taking steps to deal with the demand.
The data subject, if he/she challenges the decision on imposing the fee, may lodge a complaint to the President of the Personal Data Protection Office.
MODIFICATIONS TO THE PERSONAL DATA PROCESSING POLICY
The Policy is verified on an ongoing basis and updated, if necessary. The up-to-date Policy version has been adopted on 23 May 2018.