I. PERSONAL DATA ADMINISTRATOR
The Administrator of Personal Data is BHP Consulting Agnieszka Brykała with its registered office in Biała, 09-411, Andrzeja Kmicica 28, entered into the Central Register of Economic Activities, VAT no PL 774-247-18-85, Business reg. no–Regon 611423207 (hereinafter also as: ADO).
II. PERSONAL DATA ADMINISTRATOR
The administrator of Personal Data is BHP Consulting Agnieszka Brykała with its registered office in Biała, 09-411, Andrzeja Kmicica 28, entered into the Central Register of Economic Activities, VAT no PL 774-247-18-85, Business reg. no–Regon 611423207 (hereinafter also as ADO).
III. RULES REGARDING PROCESSING AND PROTECTION OF PERSONAL DATA
1. The Personal Data Administrator processes personal data in accordance with legal provisions-in particular with provisions of the GDPR–in a fair and transparent manner for the Data Subject (“the principle of legality, fairness and transparency of processing”, in accordance with art. a) and art. 6 r.o.d.o.).
2. The principle of data processing in accordance with the law implies that ADO is able to demonstrate an appropriate basis for processing the personal data. The processing of personal data is lawful when it meets at least one of the following conditions:
a) The Data Subject has consented to the processing of his/her/her personal data for one or more specific purposes;
b) Data processing is necessary for: performing a contract–to which the Data Subject is the party of–being referred to by the subject data, taking action at request of the Data Subject before making such a contract effective;
c) Data processing is necessary to protect the vital interests of the Data Subject or of another natural person;
d) Data processing is necessary to fulfil legal obligation incumbent on ADO, specified in the law of the European Union or the law of any Member State;
e) Processing is necessary (1) to perform a task executed in public interest or (2) as part of public authority entrusted to ADO;
f) Processing is necessary for the purposes of the legitimate interests pursued by ADO or a third party, except where the interests are overridden by interests or fundamental rights and freedoms of the Data Subject, requiring the protection of personal data, in particular when the Data Subject is a child (this does not apply to data processing carried out by public authorities in the performance of their primary tasks).
3. Processing of personal data in accordance with law also implies consideration of principles of social coexistence as well as the legitimate interests and reasonable expectations of the Data Subject in the processing of their personal data.
4. The Personal Data Administrator collects personal data and processes them on the basis of consent or other premises under legal provisions, for the purpose of which they were collected. The processing of personal data contrary to the purpose for which they were collected shall be prohibited (“purpose limitation principle”, pursuant to Article 5 (1) (b) of GDPR).
5. The purpose of processing of personal data must be specific, clearly defined and implement the legitimate interests of the Personal Data Administrator or the Data Subject. At the latest when the processing of personal data begins, it should be made known to the Data Subject.
6. The Personal Data Administrator determines the scope and processes only the personal data that is necessary to achieve the purpose of processing in which the data was collected (“data minimization principle”, in accordance with Article 5 (1) (c) of GDPR). ADO collects only the personal data, the scope of which is adequate and appropriate, and without which it would be impossible to achieve the purpose of processing.
7. The Personal Data Administrator, within the scope of his/her technical and organizational capabilities, taking into account the necessary costs, takes care of correctness, updating and completeness of the personal data processed by him/her (“the principle of correctness”, in accordance with Article 5 (1) (d) of the GDPR). ADO is responsible for the condition of the processed data to the extent that it could easily or with little effort ensure its correctness (compliance with actual state), timeliness and completeness, taking into account the limits of reasonableness of actions taken.
8. The Personal Data Administrator processes personal data in a form that permits identification of the Data Subject only when it is justified by the purpose for which the data was collected (“the principle of limitation of processing time”, in accordance with Article 5 (1) letter e) of the GDPR).
9. As soon as ADO achieves the purpose for which the data was collected, ADO may still process this data only in the manner provided for by law, in accordance with rules in force at ADO, or provided the data has been anonymised. Data anonymization means depriving this data of features that make it possible to identify the Data Subject and thereby protect him/her against any negative effects of processing his/her data. Anonymised data are not considered personal data within the meaning of generally applicable law, including r.o.d.o.
10. The Personal Data Administrator processes personal data in a manner that ensures appropriate security of this data, including protection against unauthorized or unlawful processing of this data, accidental loss, destruction, modification or damage to data (“the principle of integrity and confidentiality”, in accordance with Article 5 (1) (f) of the GDPR).
11. The Personal Data Administrator is in charge of demonstrating, in an unquestionable manner that the principles described in point 10 of this paragraph, in particular demonstrating compliance with provisions of generally applicable law in the field of personal data protection (“the principle of accountability”, in accordance with Article 5 (2) of r.o.d.o.).
12. When performing his/her tasks, the Administrator uses the services of other entities.
When performing his/her tasks, the Administrator takes advantages of services rendered by other entities.
When making purchases in the online store on the website: https://pogotowiebhp.com.pl/ or subscribing to the webinars on the website: https: //www.e-pogotowiebhp.com/, personal data will be transferred to other external entities:
III. I. RIGHTS OF THE PERSON THE DATA REFERRS TO
1. The Personal Data Administrator is obliged to inform the Data Subject about his or her rights, the latest when the processing of the data begins.
a) rights to access their own data: “The Data Subject has the right (1) to obtain information from ADO regarding his/her personal data and (2) to obtain a free copy of The Data Subject’s data, which is at the disposal of ADO”;
b) the right to be informed: “The Data Subject has the right to be informed also about his/her rights, including the right to lodge a complaint with a supervisory authority or initiate court proceedings, as well as about the source of the data, if it has not been obtained directly from the requesting party”;
d) the right to delete data (“the right to be forgotten”) “the Data Subject has the right to request the Personal Data Administrator to immediately delete the collected data concerning him/her, in case of obsolescence of the purposes of the processing for which the data was collected, withdrawal of the consent constituting the basis processing, objecting, unlawful data processing or fulfilling obligations under the law. The ADO who made the data public, due to the exercise by the interested party of the right to delete data, should immediately inform other administrators and entities processing this data about the obligation to delete them;
e) the right to limit the processing “the Data Subject has the right, in certain cases, to request the limitation of the processing of his data only to the possibility of storing his/her data by ADO. Any other operations on this data may be made (1) only after obtaining consent of the Data Subject, or (2) for pursuing claims or protection of rights of another natural or legal person or (3) for reasons of important public interest;
f) the right to transfer data “the Data Subject has the right to request the ADO to provide his/her data in a structured, commonly used machine-readable format to another administrator and to enable them to be sent to another administrator, as requested. At the request of the Data Subject, ADO is obliged to provide data directly to another administrator.
g) the right to object “the Data Subject has the right at the moment to file an objection “for reasons related to its special situation – to the processing of his/her personal data, when there is any premise for data processing need so as to execute a task carried out in public interest, or as part of the exercise of public authority entrusted to ADO, or for purposes resulting from the law legitimate interests pursued by ADO or a Third Party. In this case, ADO is not allowed to process this data, unless it demonstrates the existence of valid, legally justified grounds for its processing which override interests, rights and freedoms of the Data Subject or the grounds for determining, pursuing or defending claims. The Data Subject also has the right to object to profile his/her data, processing for direct marketing purposes, as well as for the purposes of scientific or historical research, or for statistical purposes, unless the processing is necessary to perform the task carried out in public interest.
2. The Personal Data Administrator is obliged to inform the Data Subject about his or her rights, the latest when the processing of his/her data begins.
III. II. CONSENT OF THE PERSON WHO THE DATA CONCERNS
1. The independent basis for processing of personal data is the consent of the Data Subject to processing of his/her data for a specific purpose and by a specific ADO.
2. The consent of the Data Subject is understood as a voluntary, specific, informed and unambiguous demonstration of will to persons whom The Data Subject allows for processing of his/her data. It may be made in the form of a declaration or a clear affirmative act. Only such consent is the basis for the processing of personal data.
3. Consent may be expressed in a written declaration on other matters, however, the condition for effectiveness is that it is clearly identifiable and important as well as are the effects that it will have.
4. The Personal Data Administrator is obliged to prove each time that the above-described consent to the processing of personal data has been submitted.
5. The consent of the Data Subject is not required for the processing of his data only if the processing of such personal data:
- is necessary for the performance of a contract to which the Data Subject is the party of, or to take steps at the request of the Data Subject before concluding such a contract;
- is necessary to protect the vital interests of the Data Subject or of another natural person;
- is necessary to fulfil legal obligation incumbent on ADO, or to perform a task in the public interest, or as part of public authority entrusted to ADO, or it is necessary for purposes resulting from legitimate interests pursued by ADO or a third party, within the limits specified by generally applicable law;
6. Consent of the Data Subject to the processing of sensitive personal data is not required only if the processing of such data:
- serves the purpose of the Data Subject, or the Data Subject’s vital interests, or serves the interest of protection of any other natural person; also in the case when the person referred to with the data is incapable of providing her/his legally binding consent;
- is necessary for the performance of ADO tasks or any tasks of: statutory non-profit organizations, or foundations, associations or other non-profit institutions;
- [is done] for reasons of important public interest, on the basis of EU or Member State law, on the basis of the provisions of specific laws and for medical and public interest purposes, including for the purposes of preventive healthcare, occupational medicine, assessment of the employee’s ability to work and in the field of public health;
- [is done to] conduct court proceedings, including the establishment, exercise or defence of claims in the administration of justice by courts;
- [is done] when the processed data have been made public beforehand by the data subject.
7. Consent to the processing of personal data may be withdrawn at any time, also before data processing begins on its basis and before the purpose for which it was expressed is achieved. Withdrawal of consent does not affect data processing operations carried out before the consent is withdrawn. ADO provides the option to withdraw the consent in the same easy manner as expressing it.
IT SYSTEM MANAGEMENT MANUAL FOR PERSONAL DATA PROCESSING – GENERAL INFORMATION
The aim of preparing the IT system management manual for processing of personal data (hereinafter: the Management Manual) at BHP Consulting Agnieszka Brykała, 09-411 Biała, Andrzeja Kmicica 28, hereinafter referred to as BHP Consulting, is to ensure the security of data and compliance of their processing in IT systems used by BHP Consulting with the generally applicable provisions of law on personal data, in particular with the Regulation of the European Parliament and the Council (EU) 2016/679 of 27 April 2016 on protection of individuals with regard to processing of personal data and on free movement of such data, repealing Directive 95/46 / EC (General Data Protection Regulation) (hereinafter: GDPR). The Management Manual constitutes, along with the Personal Data Security Policy (hereinafter: Security Policy), documentation in the field of personal data protection and was developed to ensure the correct implementation and security of the personal data processing process in BHP Consulting and complexity of solutions in this area. Personal data processed in IT systems are protected pursuant to the provisions of generally applicable law, in particular pursuant to r.o.d.o. and regulations of the Management Instruction. IT systems that store data are protected by appropriate technical means that guarantee confidentiality.
“Cookies” are small text files containing IT data stored in users’ devices, which are intended for the use of websites. “Cookies” allow, among others, to display websites tailored to individual preferences, and usually contain the website address, storage time on the user’s device and their own unique identifier.
We use session (temporary) and permanent cookies. Session cookies are stored on the user’s device until logging out of the website or turning off the web browser. On the other hand, permanent “cookies” are stored for a defined period of time, which is determined by the parameter contained in the “Cookies” file.
We use the information contained in “Cookies” to provide various tools and functionalities of the website and to collect general statistical data. This allows us to identify the way users use the website, and allows us to improve its structure and content. We emphasize that personal data collected using “Cookies” are encrypted in a way that prevents unauthorized access to them. They also prevent personal identification of the user.
In the web browser, you can change the settings for “Cookies” and manually delete them. Appropriate information on the use of “Cookies” and possible configurations are available in the settings, depending on the type of browser.
Detailed information on changing the settings for “Cookies” and their self-removal in the most popular web browsers is available in the help section of the web browser and at: