- Basic information
- With due regard to your rights as subjects of personal data (data subjects) and to the applicable law, in particular to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and the repeal of Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as the GDPR, the Act of May 10, 2018 on the Protection of Personal Data (Journal of Laws, item 1000 as amended, hereinafter referred to as the Act) and other relevant provisions on the protection of personal data, we undertake to maintain the security and confidentiality of personal data obtained from you.
- All capitalized words have the meaning given to them in the Application Regulations, unless otherwise stated in this document.
- All employees have been appropriately trained in regard to the processing of personal data and our company, as the Personal Data Administrator, has implemented adequate safeguards as well as technical and organizational measures to ensure the highest level of security of your personal data. We have implemented the Information Security Policy along with the necessary procedures, thanks to which we ensure compliance with the law and reliability of data processing processes, as well as the enforcement of all your rights as data subjects. In addition, where necessary, we also cooperate with the supervisory authority on the territory of the Republic of Poland, i.e. with the Head of the Office for the Personal Data Protection (hereinafter referred to as PUODO).
- Each recognized security breach is documented, and if one of the situations referred to in the provisions of either GDPR or the Act, data subjects and – if applicable- PUODO, shall be informed about such breach.
- Personal Data Administrator
- The Administrator, i.e. the entity deciding which personal data will be processed and for what purpose and in what way, in the “Support in Gdańsk” mobile application is Fundacja Oparcia Społecznego Aleksandry FOSA with its registered office at ul. Chopina 42, 80-272 Gdańsk, hereinafter referred to as the Foundation.
- You can contact us by sending an email to the following address: firstname.lastname@example.org.
- Data Protection Inspector
- For the proper supervision of the protection of your personal data, the Administrator has appointed a Data Protection Inspector.All inquiries, applications, complaints regarding the processing of personal data by our company, hereinafter referred to as Notifications, should be sent to the following e-mail address: email@example.com or firstname.lastname@example.org. The Data Protection Inspector in our company is Katarzyna Kawczyńska.
- The content of the Notification should clearly indicate:
- the data of the person or persons whom the Report concerns,
- event, which is the reason for submitting the Report,
- your request and the legal basis for the request,
- the expected settlement.
- Purposes of personal data processing
- in order to use the services available in our Application,
- to register you in our database by creating an account, which is voluntary, but necessary to provide services. In such a situation, we store the data you provide in our database to facilitate your use of services as part of our Application,
- to arrange a telephone consultation,
- to report discrimination
- in order to use the training functionality
- in order to assess your non-discriminatory behaviours by means of a quiz
- in order to provide support,
- in order to create statistical reports (without the possibility of identifying the user).
- Methods of processing personal data
- Personal data is collected through the Application and obtained by us directly from persons to whom they relate using the initial form and collecting additional information during the Application’s operation.
- We process this data mainly using IT systems, and in the case of obtaining data provided to us in written correspondence, also manually.
- The information we collect through the Application may be used by us in connection with our business, for the purposes described in point IV above.
- In our Application, we collect the following information, including personal data:
- identification data: e-mail address; sex, age, telephone number, correspondence address (in the case of traditional mailing)
- technical data: device IP address, data collected by Google Analytics and Apple
- health data, in particular: disability, mental crisis / mental disorders, psychosexual orientation / sexuality, racial or ethnic origin, religious or philosophical beliefs
- In accordance with the principle of data minimization, we process only those categories of personal data which are necessary to achieve the objectives referred to in the point IV above.
- The IP address of the device referred to above constitutes information resulting from the general principles of Internet connections (such as the IP address and other information contained in system logs) used by the Application administrator for technical purposes. IP addresses may also be used for statistical purposes.
- We obtain personal data for which we are the Administrator directly in the process of sending the forms included in the Application, e-mail messages or written correspondence. They contain mainly the data declared by you.
- Personal data is processed for the time necessary to achieve the objectives set out in the point IV above. Personal data may be processed for a period longer than indicated in the preceding sentence in cases where such permission or obligation imposed on the Personal Data Administrator results from specific provisions of the law or when the services we provide are continuous.
- Only the data subjects are the source of the data processed by the Application.
- Legal bases for data processing
The bases for the processing of your personal data are:
- art. 6, paragraph 1 letter a of GDPR and art. 9 par. 2 letter a of the GDPR, i.e. when the data subject has expressly consented to the processing of this personal data for one or more specific purposes (identification data, health data, data on sexuality and psychosexual orientation),
- art. 6, paragraph 1 letter f of GDPR, i.e. the Controller’s legitimate interest in creating statistical data, with particular emphasis on the IP addresses of devices referred to in point V above, backing up data, establishing, defending or pursuing claims until their expiry (technical data) and potential correspondence with Users.
- Personal data processing period
- Your personal data processed in connection with the provision of services are processed by us for the period of providing the Service to the extent necessary for its proper implementation, and after this period only to the extent necessary to meet the obligations arising from legal provisions and in connection with any claims or defense against.
- Your personal data processed on the basis of consent (identification data, data of special categories, in particular health data), are processed by us until the consent is withdrawn, i.e. until the account is deleted in the Application.
- Your personal data processed on the basis of the legitimate interest of the Administrator are processed until you object to their further processing.
- Recipients of personal data
- Sharing personal data
- We do not disclose personal data to any third party without explicit conset of the data subject. Personal data may be made available without the consent of data subjects only to bodies governed by public law, i.e. authorities and administration (e.g. tax authorities, law enforcement authorities and other entities authorized by generally applicable provisions of law).
- Personal data will be made available primarily to our employees in accordance with the rights and authorizations they have in order to ensure the proper handling of the data processing processes being carried out and in the necessary time and scope.
- Our employees have been trained in the principles of personal data processing, applicable legal provisions regarding the principles of personal data processing and protection, and have been required to keep this information confidential.
- In justified cases, personal data may also be made available to trusted cooperating entities, only for purposes related to the provision of the Service or ensuring its proper provision.
- Entrustment of personal data
- Personal data may also be entrusted for processing to processing subjects, i.e. entities that process data on behalf of the Administrator. In such cases, we – as the Personal Data Administrator – conclude an agreement on entrustment of personal data processing with such processing subjects. The processing subject processes the entrusted personal data, but only for the needs, to the extent and for the purposes indicated in the agreement referred to in the preceding sentence.
- Without entrusting your personal data for processing we could not carry out our activities within the Application. As the Administrator, we entrust the Users’ personal data for processing to entities providing services to us as the Administrator, which are necessary for the current functioning of the Application;
- Individuals’ rights
- You can freely exercise the rights of natural persons set out in the GDPR. For this purpose, an appropriate request regarding the exercise of the rights of persons should be sent to our e-mail address : email@example.com firstname.lastname@example.org.
- In justified cases, due to the correct identification of the person, we may ask you to provide additional information or provide the necessary documents confirming your identity.
- All requests related to the implementation of your rights should be reported directly to the Administrator.
- If you want to exercise your rights to withdraw consent to data processing or delete data, please use the “Delete account” tab in the Application. If you want to exercise your rights, as set out below, please send your request directly from the Application from the appropriate menu item.
- The right to freely express or withdraw consent to data processing
- You have the right to freely express or withdraw consent to the processing of personal data. If your personal data is processed on the basis of your consent, we will provide you with the option to withdraw it at any time by deleting your account in the Application.
- Withdrawal of consent will have an immediate effect from the moment of this action and will not affect the processing of data that took place before its withdrawal.
- Withdrawal of consent does not entail any negative consequences for you, but it prevents us from continuing to provide services by the Application.
- Right to information
- Pursuant to art. 12 and 13 of the GDPR, you have the right to a range of information (including information on your data, contact details of the DPI, purposes and legal grounds for the processing of personal data, recipients or categories of recipients of personal data, if any, or about the period during which the data will be processed or on the criteria for determining this period).
C. Right of access to personal data
- Pursuant to art. 15 of GDPR, you have the right to be informed about your data and for what purpose we process and the right to obtain a copy of your personal data.
- We implement the right of access to data by sending a request to obtain a copy of your personal data by sending a request to the e-mail address: email@example.com.
- You have a right to request access to any and all information we hold that identifies you personally. In this case, we provide you with a copy of the personal data provided by you in a structured, commonly used, machine-readable format within no more than 30 days of receipt of the request. We do not charge a fee for preparing, processing and issuing the first copy of the data.
- In the case of subsequent requests, we may charge you a fee resulting from the costs of preparing, processing and delivering this data. In this case, you will be informed about the amount of the fee before preparing another copy of the data.
D. Right to correction of personal data
- Pursuant to art. 16 of GDPR, you have the right to rectify (correct, update, supplement) your personal data.
- If your personal data has changed, please inform us of this fact so that the data we have is true and up-to-date. Also in a situation where there has been no change of personal data, but for any reason the data is incorrect or has been saved incorrectly (e.g. due to a typo), please inform us directly from the Application from the appropriate menu item in order to have such data corrected or correct them yourself, if the Application allows it.
E. Right to erasure of personal data
- Pursuant to art. 17 of GDPR, you have the right to request the deletion of your personal data. We implement this right in response to the use of the “Delete account” tab in the Application. NOTE: deleting personal data will stop our company from providing you with the Services.
- You can request the removal of your personal data especially when:
- the purposes for which the personal data have been collected has been achieved, e.g. you have stopped using our Services,
- the basis for the processing of your personal data was your consent, which was then withdrawn and there is no other legal basis for further processing of your personal data,
- you have raised an objection pursuant to Art. 21 of GDPR and you believe that we do not have any overriding legal grounds for further processing of your personal data,
- your personal data has been processed against the law, i.e. for the unlawful purposes or without any basis for the processing of personal data – please note that in this case you must have a basis for such a request,
- the need to remove your personal data arises from the provisions of law,
- despite the declaration at registration that the person is over 16, the personal data relates to a minor and was collected in connection with the provision of information society services.
- The exercise of the right to request the deletion of personal data may, however, be limited if this processing is necessary for us to fulfill our obligation under the law or to establish, assert or defend claims.
- You can request the deletion of your data by selecting the “Consent to the processing of personal data” option in the Application settings “user profile”.
F. The right to limit the processing of personal data
- Pursuant to art. 18 of GDPR, you have the right to demand that the processing of your personal data be restricted. We implement this right on the basis of a clear request to limit processing with justification sent to us at the address firstname.lastname@example.org.
- As a result of the request to limit data processing, our company may only store your data until the matter is resolved.
- You may exercise the right to limit the processing of personal data if:
- you question the correctness of the personal data provided – for a period allowing to verify the correctness of the questioned data;
- the processing of personal data is unlawful, but you object to the erasure of your personal data;
- the personal data that we process are no longer necessary to achieve the purpose for which we processed them, but you need them to establish, investigate or defend against claims;
- you object to the processing of personal data due to the special situation indicated in the provisions on the protection of personal data.
G. Right to data portability
- Pursuant to art. 20 of GDPR, you have the right to request the transfer of your personal data to another service provider.
- You are entitled to this right only if the basis for the processing of your data was your consent and the data was processed in an automated manner.
H. The right to object to the processing of personal data
- Pursuant to art. 21 of GDPR, you have the right to object to the processing of your personal data.
- We implement this right on the basis of sending us a clear objection to the processing of your data, which we have processed so far for legitimate purposes in accordance with the law.
I. Right to complain with a Supervisory Authority
- Pursuant to art. 77 of GDPR, you have the right to lodge a complaint related to the processing of your personal data to the supervisory body, i.e. to the President of the Office for Personal Data Protection, ul. Stawki 2; 00-193 Warszawa, if you feel that we are processing your personal data unlawfully or in any way violate the rights resulting from generally applicable legal provisions in the field of personal data protection.
- We respect your privacy and guarantee you the opportunity to exercise your rights under the law regarding the processing of personal data. In order to avoid unnecessary disputes, before submitting such a complaint, we encourage you to contact our Data Protection Inspector directly (email@example.com).
J. Limitations related to the exercise of the rights of the personal data subject
The above-mentioned rights and the manner of their implementation may be limited in justified cases. Such a situation will take place when this limitation results from obligations specified in legal provisions to which we are obliged. In this case, we will provide you with relevant information along with the justification for our decision.
- Information on the obligation to provide data
- Providing some personal data is necessary for the proper provision of our Services or for the fulfillment of a request or notification. By applying the principle of minimization, we do not collect more data than it is necessary for their implementation.
- Failure to provide the required information may result in the restriction or termination of our Services or the fulfillment of your request or notification.
- Persons reporting unwanted activity regarding the service we offer may additionally be required to provide more data, in a situation where such data is required by law or applicable reporting procedures.
- Document update policy
- We will inform people using the Application about any changes through notifications in the Application as part of the message on the main application dashboard. In addition, in the event of significant changes related to the protection of privacy and personal data protection, we may send additional information to the e-mail address provided to us or require you to re-accept the rules for the processing of personal data and the protection of privacy in connection with the processing of information based on cookies and other similar technology.
- Final provisions
- These Privacy Protection Principles apply from the date of publication, i.e. from 1st of December 2020.