1.1. Controller – Ogólnopolski Konwent Agencji Pracy [All-Polish Convention of Labour Agencies], ul. Krakowska 1, 45-018 Opole, entered in the register of associations under KRS No. 229820, telephone: 0048 77 45 30 371, email: firstname.lastname@example.org.
1.2. Personal data – all information relating to an identified or identifiable natural person, i.e. one who can be identified based on one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity; this includes an IP address of a device, location data, an online identifier, and information collected through cookies and other similar technologies.
1.4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
1.5. Site – a website maintained by the Controller, available at www.okap.org.pl.
1.6. User – any natural person visiting the Site.
2.1. In connection with using the Site by the User, the Controller shall collect data in the scope necessary to provide the services offered, as well as information about the User’s activity on the Site. The detailed rules and purposes of the processing of personal data collected while the User is using the Site are specified below.
1. The Controller can be contacted by means of electronic contact forms and by means of messages sent to dedicated email addresses provided by the Controller on the Site. In order for the form to be used or for a message to be sent to the right address, personal data must be provided – they are necessary for the purpose of contacting the User and replying to his or her question. The User may also provide other data to facilitate contact and the process of handling enquires. Providing the data is optional but failure to provide them or providing false or incorrect data shall make it impossible to handle the inquiry.
2. Personal data are processed:
2.1. for the purpose of identifying the sender and handling his or her enquiry sent by means of the provided contact form or to the provided contact email address, including presenting a potential offer at the User’s request – the User’s consent to the processing of his or her personal data, given by means of filling in the appropriate form fields or sending an email to the Controller, shall be the legal basis for the processing (Article 6(1)(a) of GDPR);
2.2. for the purpose of identifying the sender and handling his or her enquiry sent by means of the provided contact form or to the provided email address – the processing being necessary for the performance of a contract for the provision of services, in particular as regards the participation in training or a conference if such an enquiry concerns the contract that has been entered into or, in order to take action at the request of the data subject prior to entering into a contract if such an enquiry is directly related to the data subject’s will to enter into a contract, shall be the legal basis for the processing (Article 6(1)(b) of GDPR);
2.3. for the purpose of examining the declaration in connection with the need to verify if the membership criteria have been met – the legitimate interests pursued by the Controller shall be the legal basis for the processing (Article 6(1)(f) of GDPR).
4.1. The Controller shall process personal data of Users visiting the Controller’s profiles in social media (Facebook, LinkedIn). The said data shall be processed in connection with managing the profile, including for the purpose of informing Users about the Controller’s activity, promoting various types of events, services and products, and communicating with Users using the functionalities available on social media platforms. The legitimate interests pursued by the Controller, consisting in promoting its own brand as well as building and maintaining a community around the brand, shall be the legal basis for the processing of personal data for this purpose (Article 6(1)(f) of GDPR).
5.1. The Controller hereby gives notice that when the User connects with the Site, information about the number (including IP) and type of the User’s end device, used by the User to connect with the Site, appears in the Site’s system logs. The Controller hereby gives notice that – in accordance with the provisions of binding law – it shall also process the data concerning the number (including IP) and type of the User’s end device, the time for which the User stays connected with the Site, and other operational data concerning the User’s activity. Such data are processed in particular for technical purposes and for the purpose of collecting general statistical information.
5.3. The User may change the cookie settings at any time. To do so, the cookie settings of the web browser must be changed. These settings may be changed in particular in such a way as to block the automatic support of cookies in the web browser settings or to inform the User each time they are stored on the User’s device. Detailed information about the possibilities and ways of handling cookies can be found in the software (web browser) settings.
6.1. The period for which personal data are processed by the Controller shall depend on the legal basis for and the purpose of data processing. As a rule, data shall be processed for the period a given person has a status of a member of the Employers’ Association or a service (training) is being provided, until given consent has been withdrawn, or until the data subject has effectively objected to data processing where the legitimate interest of the Controller is the legal basis for the processing.
6.2. The period of data processing may be extended if the processing is necessary to establish, exercise or defend any legal claims, and after that time only if and to the extent required by law. After the period of processing, data shall be irreversibly erased or anonymised.
7.1. Data subjects shall have the following rights:
7.1.1. Right to obtain the information in relation to the processing of personal data – on this basis, the Controller shall provide the person making such a request with the information in relation to the processing of personal data, including in particular the information about the purposes and legal bases for the processing, about the scope of the data held, about the entities to which personal data are disclosed, and about the planned date of their erasure.
7.1.2. Right to obtain a copy of the data – on this basis, the Controller shall provide a copy of the personal data undergoing processing, concerning the person making the request.
7.1.3. Right to rectification – on this basis, the Controller shall remove any inaccuracies or errors concerning the personal data undergoing processing, make such data complete or update them if they are incomplete or have changed.
7.1.4. Right to erasure – on this basis, the data subject may obtain the erasure of the data that no longer need to be processed for any of the purposes for which they have been collected.
7.1.5. Right to restriction of processing – on this basis, the Controller shall cease to perform operations on personal data, except for the operations to which the data subject has given his or her consent, and to store them in accordance with the adopted principles of retention, or until the reasons for the restriction of the processing of personal data no longer exist (e.g. a decision is issued by a supervisory authority, allowing further processing).
7.1.6. Right to data portability – on this basis, to the extent that the data are processed in the context of a contract that has been entered into or consent that has been given, the Controller shall issue the data provided by a given data subject in a form allowing such data to be read electronically. It shall be also possible to request that such data be transmitted to another entity, provided – however – that such transmission is technically feasible for both the Controller and that other entity.
7.1.7. Right to object to the processing of data for the purposes other than marketing purposes – a data subject may at any time object to the processing of his or her personal data on the basis of a legitimate interest of the Controller (e.g. for analytical or statistical purposes). Such an objection should include reasons and shall be assessed by the Controller.
7.1.8. Right to withdraw consent – if the data are processed on the basis of the consent, the data subject shall have the right to withdraw such consent at any time; however, this shall not affect the lawfulness of processing before its withdrawal.
7.1.9 Right to lodge a complaint – if a data subject considers that the processing of personal data violates the provisions of the GDPR or other data protection provisions, he or she shall have the right to lodge a complaint with the President of the Office for Personal Data Protection in Warsaw.
2. A request for the exercise of data subjects’ rights may be made:
2.1. in writing to the following address: Ogólnopolski Konwent Agencji Pracy, ul. Krakowska 1, 45-018 Opole;
2.2. by email to: email@example.com.
3. The request should as far as possible precisely indicate what is being requested, i.e. in particular:
3.1. the right the person making the request wishes to exercise (e.g. right to obtain a copy of the data, right to erasure, etc.);
3.2. the processing operation concerned by the request (e.g. the use of a specific service, etc.);
3.3. the processing purposes concerned by the request (e.g. analytical purposes, etc.).
4. Should the Controller be unable to determine the contents of the request or to identify the requestor, it shall contact the requestor and ask for additional information.
5. A response to a request shall be given within a month of its receipt. Should it be necessary for this period to be extended, the Controller shall inform the requestor of the reasons for such an extension.
6. A response shall be given to the e-mail address used to send the request or – in the case of requests received by traditional mail – by letter to the address indicated by the requestor, unless the letter received from the requestor suggests that he or she would like the response to be sent to an email address (in such a case an email address should be indicated).
8.1. In connection with the provision of services, personal data may be made available only to external entities providing subcontracted services to the Controller, including the operation of IT systems or financial and accounting services, where such entities process data as subcontractors, based on a contract with the Employers’ Association and only according to its instructions, or to entities providing legal, audit or consulting services.
9.1. The level of personal data protection outside the European Economic Area (EEA) differs from that provided by the European law. The Controller shall not transfer personal data outside the EEA; however, this shall not prevent such a transfer in the future, but only after Users have been informed about it in advance, and only if such a transfer proves to be necessary and an adequate level of protection is guaranteed, in particular through:
9.1.1. cooperating with personal data processors in countries for which an appropriate decision has been issued by the European Commission;
9.1.2. applying standard contractual clauses issued by the European Commission;
9.1.3. applying binding corporate rules approved by the competent supervisory authority;
9.1.4. should data be transferred to the United States – cooperating with entities participating in the Privacy Shield program, approved by the European Commission.
9.2. The Controller may transfer personal data also in the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules; a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only if the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the Controller and another natural person, or where the data subject gives his or her explicit consent.
10.1. The Controller shall conduct risk analysis on an ongoing basis in order to ensure that it processes personal data in a secure manner, and – above all – that only authorised persons have access to data and only to the extent necessary for the tasks performed by them. The Controller shall make sure that all operations on personal data are recorded and performed only by authorised employees and associates.
10.2. The Controller shall take all necessary steps to ensure that also its subcontractors and other cooperating entities guarantee the application of appropriate security measures whenever they process personal data on instructions from the Controller.
11.1. The Controller may be contacted by sending an email to the following address: firstname.lastname@example.org, or by writing to the following postal address: Ogólnopolski Konwent Agencji Pracy, ul. Krakowska 1, 45-018 Opole
12.1. This Policy shall enter into force and become effective on 1 January 2019.
12.2. This Policy shall be verified on an ongoing basis and updated if necessary. The User shall be informed of any changes to this Policy by means of publishing an adequate notice on the Site.