- The administrator of Users’ personal data is the National Freedom Institute – Centre for Civil Society Development, al. Jana Pawła II 12, 00-124 Warsaw, NIP number 7010780575 and REGON number 368854582 (hereinafter the “Administrator”).
- The Administrator takes all actions and applies all available technical solutions aimed at the protection of Users’ personal data, in particular the protection required by the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (General Data Protection Regulation), hereinafter: “Regulation” and other applicable legal provisions, including actions such as: applying procedures for securing personal data against unauthorized loss, misuse, alteration or destruction.
- The administrator has also appointed a Data Protection Officer with whom Users may contact in matters related to the protection of their privacy. The suggested contact channel for Data Protection Officer “DPO” is an electronic email to the address of firstname.lastname@example.org.
- Personal data is any information relating to an identified or identifiable natural person. An identifiable person is a person who can be identified from this data (directly or indirectly). Information is not considered to enable the identification of a person if it would require excessive costs, time or activities.
- The administrator does not intentionally process the so-called “Special categories of personal data” referred to in Art. 9 of the Regulation (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and genetic data, biometric data, data concerning health, sexuality or sexual orientation of a person). The administrator asks Users not to provide information containing such data.
- If there is a justified need to provide specific category data, please contact the DPO for this purpose.
2 Legal basis and scope of data processing
- Depending on the intended purpose of processing Users’ personal data, it may be processed on the basis of various so-called legal grounds for processing, i.e. the circumstances justifying their use:
- in order to fulfill the legal obligation incumbent on the Administrator (eg: providing the User with information, fulfilling the Administrator’s obligations provided for in the Act of 15 September 2017 on the National Freedom Institute – Centre for Civil Society Development; hereinafter: “Act on NFI”) – art. 6 sec. 1 c) of the Regulation;
- on the basis of consent granted by the User (e.g. in order to enable the User to receive notifications about events related to the third sector and NIW activities in the form of a newsletter) – art. 6 sec. 1 a) of the Regulation;
- when processing is necessary to perform a task carried out in the public interest or as part of the exercise of public authority entrusted to the Administrator (e.g. publication of materials containing personal data and used to perform the Administrator’s tasks specified in the NFI Act; administrative service of the website, including activity analytics on the website) – art. 6 sec. 1 e) of the Regulation;
- when processing is necessary to take action before the conclusion of the contract, in order to enable its conclusion (e.g. handling inquiries sent via the contact form) – art. 6 sec. 1 b) of the Regulation;
- potentially, in the event that the Administrator finds that actions that violate the law or interest of the Administrator has been taken, in connection with the necessity to establish, investigate or defend claims (e.g. keeping website logs, collecting information about activities aimed at unauthorized changes to the functionality of the website or preventing the proper functioning of the website) – Art. 9 sec. 2 f) of the Regulations.
- The Administrator processes Users’ data to the extent necessary to ensure the full use of individual functions.
- In the case of processing personal data on the basis of the consent given by the User, as well as in connection with sending inquiries, providing personal data by the User is voluntary, but failure to provide specific data or failure to consent to their processing may prevent the use of certain functions of the Website or prevent the Administrator from taking actions to handle the inquiry.
3 Tools used by the Administrator for the automatic processing of information
- Cookies are used to obtain information about the way Users use the Website, as well as about problems that arise when using the Website. Cookies are necessary for statistical and information purposes, as well as to improve the functioning of the Website, to quickly remove faults in its functioning and to adapt the Website to the User’s needs.
- Cookies do not change the computer configuration, are not used to install or uninstall any computer programs, do not interfere with the integrity of the IT system or User’s data, are not processed by other websites and can be deleted by the User at any time.
- Using the Administrator’s websites without changing the cookie settings means that they will be stored in the User’s device memory.
- Cookies may be deleted by the User or the User may make appropriate changes to the system software settings of the device (browser) he uses in order to delete or block the saving of cookies. In order to delete cookies or not to save them on the User’s device, you must make an appropriate selection in the web browser settings, however, changing the browser settings, leading to limiting the saving of cookies may result in the inability to use some of the Website’s functions or limitation of use, because some Website functions will not work or their operation will be limited.
- The rights to delete data provided for in the Regulation (the right to be forgotten, Article 17 of the Regulation) and the right not to be subject to automated processing (Article 22 (1) of the Regulation) are implemented by the User by changing the settings in the browser or deleting cookies.
- Data on Users’ activity, which is sent to a leading provider of analytical technologies, are subjected to “on-the-fly” operations to ensure their anonymity, such as masking IP addresses and automated introduction of “noise” (changes to prevent users from being under surveillance while at the same time not significantly affecting the value of statistical data).
- Navigation tags are small picture files placed on a website, enabling the collection of specific information sent by the User’s computer, such as IP address, time of visiting the website, browser type or cookies installed during previous visits by the same server. The use of navigation markers by the Administrator takes place in accordance with applicable law. Disabling navigation tags is possible by rejecting certain cookies responsible for the appearance of a given tag.
4 Period of personal data storage
- Personal data in the website logs are stored for a period of two years.
- Personal data processed for statistical purposes are subject to immediate anonymization, and the cookie used to identify the User is stored for a period of two years from the date of the last visit.
- The data processed on the basis of consent are processed until the consent is withdrawn, but not longer than for two years from the date of the last receipt of confirmation that the consent is valid, e.g. in the form of reading the newsletter or making contact.
- Data processed in connection with the implementation of the Administrator’s statutory goals will be anonymized no later than after three years.
- Data used to establish, assert or defend claims will be processed adequately.
5 Recipients of data
- Administrator does not disclose User’s data to other entities without the consent of the User. The disclosure of personal data without the consent of the data subject may take place only on the basis of legal provisions, in accordance with the principles set out in these provisions and for the purposes specified therein.
- The Administrator may entrust the processing of Users’ personal data on behalf of the Administrator to another entity on the terms set out in art. 28 of the Regulation.
- it means that all entities to which the Administrator entrusts the Users’ data are contractually related to the Administrator and act only at his request and under his supervision;
- all matters related to the protection of privacy, and concerning the actions or omissions of entities to which the Administrator entrusted the data, should be directed to the Administrator’s DPO;
- processing entities entrusted with the processing by the Administrator belong to the following categories: entities providing the mass mailing service of newsletters; hosting; entities providing IT support services.
6 The rights of persons whose personal data are processed
- The User has the right to obtain information from the Administrator regarding the processing of his personal data, as well as to influence the manner, scope and time of their processing, including the right to:
- obtaining access to your own personal data (including obtaining confirmation whether they are processed and obtaining information, e.g. about the purposes, sources, categories of data processed or the period of their storage), which also includes the right to receive a copy of your own data free of charge (for any subsequent copies requested by the User, the Administrator may charge a reasonable fee resulting from administrative costs),
- obtaining information on the method of sharing data, in particular information about the recipients or categories of recipients to whom the data is made available,
- the right to withdraw the consent to the processing of User’s personal data,
- requests for supplementing, updating, rectifying personal data, if they are incomplete, out of date or untrue, as well as restrictions on data processing,
- requesting deletion of data (the right to “be forgotten”), incl. when they are not necessary to achieve the purposes for which they were collected, consent to their processing has been withdrawn or there are no other legal grounds for their processing,
- transferring data, including obtaining from the Administrator the personal data provided by the User in a structured, commonly used machine-readable format,
- object to data processing.
- In the event that the User considers the above rules insufficient, he may at any time write to the Administrator’s DPO at the address indicated above or to the Administrator himself, electronically to the address email@example.com or in writing to the address of the Communication and Promotion Office of the Administrator, in order to obtain explanations, information or to exercise his right.
- If the User considers that the processing of his personal data by the Administrator violates the provisions of the Regulation, he has the right to lodge a complaint with the President of the Office for Personal Data Protection.