1.2. The aim of this Policy is to specify the rules, manner of processing and using personal data of natural persons who use websites administered by the Foundation (hereinafter: „the User”). Furthermore, the policy includes information concerning rights of natural persons with regard to personal data disclosed by them. The legal grounds for the Policy are provided by the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: „the GDPR”), s well as the Act on personal data protection of 10 May 2018 (Journal of Laws of 2018, item 1000). This Policy constitutes the Administrator’s execution of obligations pursuant to Articles 12 and 13 of the GDPR.
1.4. The Foundation appointed the Data Protection Inspector (DPI), who can be contacted via email: email@example.com.
2. Personal data administrator
2.1. he Foundation is the Administrator of personal data transferred by Users of websites, who visited and used functionalities offered by websites administered by the Foundation (hereinafter: „Websites”):
2.2. The Foundation can obtain personal data through the agency of:
- Users’ contact with the Foundation via contact forms available on Websites and transferring their personal data together with the contents of the message,
- Users posting comments or opinions on Websites,
- Users’ enrolment in the Foundation’s mailing list in order to receive information promoting knowledge on oncological diseases, the Foundation’s achievement of statutory objectives, including informing about organised social actions (campaigns, actions, protests, petitions, debates, seminars, scientific or press conferences), as well as possibilities of supporting the Foundation’s activities,
- Users signing petitions, protests and supporting other social actions conducted by the Foundation,
- Users making donations via website skarbonka.alivia.org.pl,
- donors paying 1% tax to the benefit of the Foundation that is a non-profit organisation, as well as making a donation directly to the Foundation’s bank account,
- Users joining the Skarbonka programme via the website skarbonka.alivia.org.pl as the Foundation’s wards,
- direct contact with the Foundation of persons whom data concerns by telephone, via emails and mails,
- candidates for employees submitting application documents directly to the Foundation’s email addresses or via intermediary websites,
- public institutions and public authorities, who, in the frameworks of conducted proceedings, transfer personal data in order to execute legal provisions.
2.3. By collecting personal data the Administrator registers information concerning the sources of obtaining such data. Users’ personal data is directly obtained from persons whom data concerns, as well as from third parties.
2.4. The Administrator takes the utmost care so that personal data is processed in compliance with the purpose for which it has been collected and used in compliance with premises and categories of processed data permitted by the law, in particular, in compliance with the rules of processing personal data stipulated in Article 5 of the GDPR.
3. The purposes and legal grounds for processing personal data
The Administrator processes personal data in compliance with the profile of activity, only for the purposes indicated below. If, due to the legal provisions, characteristics of the service or the necessity to settle it, there is a need to process other personal data of persons whom data concerns, the Administrator can process it in the necessary scope.
3.1. In order to contact the Foundation via contact form posted on Websites with regard to submitting a question or sent application, the following personal data of Users is processed: first name and surname, email address, information on health condition.
The legal grounds for processing personal data constitute the legally justified interest of the Administrator – Article 6 par. 1 letter f) of the GDPR, consisting in servicing the message answering questions. In the case of forms in which Users transfer information on health condition, it is necessary to agree to the processing of special categories of data in compliance with Article 9 par. 2 letter a) of the GDPR. Refusal to give personal data or not giving consent to processing special categories of data shall result in the lack of the possibility to service sent message and thus, deleting it.
3.2. In order to post comments by Users on Websites and then, verify correctness thereof by the Administrator, the following personal data of Users is processed: first name and surname, email address, telephone number, information on health condition.
The Administrator processes personal data upon prior Users’ acceptance of the Rules and Regulations of the Website and thus, Article 6 par. 1 letter b) of the GDPR shall constitute the grounds of processing. Data concerning the health condition shall be processed on the grounds of a permission given by Users in compliance with Article 9 par. 2 letter a) of the GDPR. Giving personal data in order to post comments is voluntary. Not giving consent to process special categories of data shall result in the lack of the possibility to post comments.
3.3. In order to send to Users via email the information on social actions organised by the Foundation, possibilities of supporting the Foundation’s activity, as well as on achieving other statutory objectives of the Foundation, the following personal data of Users shall be processed: first name, surname, email address.
The legal grounds for processing personal data constitute the Administrator’s justified interest – Article 6 par. 1 letter f) of the GDPR, which consists in the Foundation’s maintenance of a regular contact with Users for the purposes of transferring information on ongoing implementations of statutory objectives of the Foundation.
3.4. In order to submit a petition by the Foundation to relevant authorities and then, to inform Users of further course of the social action , which has been supported by them, the following personal data of Users are processed: first name, surname, email address, telephone number.
Legal grounds for processing personal data given by the User in order to sign the petition and then, communication with persons supporting the given social action in order to inform of its further course constitute the consent given by the Users in compliance with Article 6 par. 1 letter a) of the GDPR.
3.5. In order to anage payments from donors (both via the website skarbonka.alivia.org.pl, 1% of tax to the benefit of the non-profit organisation, directly to the Foundation’s bank account), including issuing certificates for tax purposes the following personal data of Users is processed: first name, address of residence, email address, bank account number.
The legal grounds for processing donors’ personal data constitute Article 6 par. 1 letter c) of the GDPR – in order to fulfil by the Foundation the legal obligation imposed on it. In the case of persons who paid 1% of tax to the benefit of the Foundation, the data for the purposes of sending thanks shall be processed on the grounds of the given consent – Article 6 par. 1 letter a) of the GDPR.
3.6. In order to perform the agreement concluded with wards on providing financial support , preceded with verification of given data concerning the health condition of wards, the following personal data is processed: first name, surname, PESEL (Personal Identification Number), address of residence, email address, telephone number, information on the health condition of the person to the benefit of whom the Foundation shall provide financial assistance, as well as first name, surname, email address and telephone number of this person’s plenipotentiary.
The legal grounds for processing personal data:
- Article 6 par. 1 letter b) of the GDPR – personal data of wards and plenipotentiaries with whom the agreement on providing financial assistance shall be concluded,
- Article 9 par. 2 letter a) of the GDPR – for purposes of verifying by the Foundation data concerning the health condition of the person with whom the agreement on providing financial assistance shall be concluded.
3.7. In order to determine and assert claims, as well as protect against claims, including documenting of reported objections against personal data processing Users’ personal data transferred to the Foundation shall be processed.
The legal grounds for personal data processing constitute Article 6 par. 1 letter f) of the GDPR, which allows processing personal data for purposes of possible determination, assertion or protection against claims constituting performance of the legally justified interest of the Administrator.
3.8. In order to conduct the recruitment process it is necessary to provide personal data of candidates in the scope resulting from the contents of Article 221 par. 1 of the Labour Code: first name (names) and surname, date of birth, contact data given by the candidate, education, professional qualifications and the course of the hitherto employment, if necessary to perform a job of specific type or on a specific position.
Legal grounds for conducting the recruitment process:
- the Act of 26 June 1974 – the Labour Code (Journal of Laws of 1974, No. 24, item 141, as amended),
- Article 6 par. 1 letter b) of the GDPR which allows processing personal data, if necessary to take activities aimed at performance of the agreement.
Giving other data by candidates, not enumerated in the catalogue provided in Article 221 par. 1 of the Labour Code is voluntary. Legal grounds for processing such personal data constitute Article 6 par. 1 letter a) of the GDPR which allows processing personal data on the grounds of the voluntarily given consent, which can be revoked at any time without impact on the compliance with the law of the processing performed on the grounds of the consent given before withdrawal thereof.
The recruitment process consists of several stages at which candidates’ personal data is processed: preliminary selection of received applications, contact with selected candidates, selection of an employee. In the case of giving consent by the candidate to the processing of their personal data in future recruitment, the legal grounds for processing such personal data constitute Article 6 par. 1 letter a) of the GDPR which allows processing personal data on the grounds of the voluntarily given consent, which can be revoked at any time without impact on the compliance with the law of the processing performed on the grounds of the consent given before withdrawal thereof.
4. Recipients of personal data
4.1. Recipients of personal data entrusted to the Administrator by persons whom data concerns are the following entities to whom personal data is transferred in a minimal scope necessary for the purposes of which it has been obtained:
- authorised personnel of the Administrator;
- entities processing personal data on behalf of the Administrator (e.g. the accounting office, suppliers of technical services, suppliers of hosting services);
- public institutions which provide assistance to the Foundation’s wards (e.g. hospitals);
- relevant bodies authorised in compliance with the binding legal provisions.
4.2. The Administrator declares that he does not sell, share or transfer personal data collected for processing to other persons or institutions, unless it is done so upon an explicit consent or upon a request of the persons whom data concerns, or upon a request of state bodies authorised on the grounds of the act for the purposes of conducted proceedings or activities related to the safety or defence, for legally defined tasks performed to the benefit of public welfare, when it is necessary for legally justified purposes of the Foundation.
5. Transferring personal data to countries outside the European Economic Area (EEA)
Due to the fact that the Administrator uses applications, websites of which are located outside the EEA, personal data obtained with regard to using websites by Users can be transferred to third countries. Therefore, the Administrator made sure to use only the services provided by suppliers guaranteeing a high level of personal data protection. These guarantees result from, in particular, suppliers’ participation in the “Privacy Shield” programme established pursuant to the Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield.
6. Personal data processing period
The Administrator processes obtained personal data for a period of time necessary for the purpose/purposes for which it has been transferred. The period of processing data is related to the purposes and grounds of processing, thus:
- data processed on the grounds of the statutory (tax) requirements shall be processed for the period of time in which legal provisions stipulate storing data;
- data processed on the grounds of the legally justified interest of the Administrator shall be processed until submitting an effective objection by the person whom data concerns or until this interest ceases to exist. Data processed for the purpose of assertion or defence against claims shall be processed for a period of time correspondent to the limitation period of these claims;
- data processed on the grounds of the consent shall be processed until withdrawal of the consent given by the person whom data concerns;
- personal data processed within the recruitment process shall be processed until the end of this process.
7. Rights vested in data subjects
7.1. he Administrator executes rights vested in persons whom data concerns related to processing their personal data. In particular, each data subject has the right to:
- access their personal data,
- rectify personal data,
- erase data (“the right to be forgotten”),
- limit personal data processing,
- object personal data processing.
7.2. In the case the grounds for personal data processing constitute the legally justified interest of the Administrator, the data subject has the right to object at any time personal data processing without the necessity to justify their decision, especially in the case the legally justified interest consists in conducting activities related to direct marketing.
7.3. The consent given by data subjects via Websites can be at any time withdrawn, which shall not influence the compliance with the law of data processing executed before withdrawal of such a consent.
7.4. The Administrator informs that he is not obliged to erase data (that is to exercise “the right to be forgotten”) in the case data processing is necessary:
- to exercise the right of freedom of speech and information,
- to fulfil the legal obligation to process data pursuant to the European Union law or the Polish law,
- for archiving purposes in public interest, purposes of scientific or historical research or statistical purposes,
- to determine, assert or defend claims.
7.5. The above rights as well as the intention to withdraw the consent can be exercised by sending a relevant request via email to the Data Protection Inspector: firstname.lastname@example.org or by mail to the registered office of the Foundation given in point 1. 1 of the Policy.
8. Automated decision taking and profiling
Your data can be processed by the Administrator in an automated manner, including profiling. However, decisions regarding an individual related to such processing shall not be automated.
9. Security and storing information
The Administrator ensures security of personal data against its illegal disclosure to unauthorised persons, taking over data by an unauthorised person, destruction, loss, damage or change and processing personal data in a manner not compliant with the provisions of the GDPR.
In order to secure entrusted personal data the Administrator undertakes technical and organisational measures meeting the GDPR requirements, especially the measures enumerated in Article 24 and Article 32 of the GDPR, ensuring confidentiality, integrity and availability of services concerning processing of entrusted personal data.
ookies are small files sent by the website to the User’s search engine and stored on their computer. Cookies help the Administrator to analyse network traffic and recognise which part of the website was visited. Cookies in no way allow the Administrator to access User’s computer or information with an exception of the information on how the website was used and personal data automatically shared by Users due to the search engine’s settings.
The Administrator uses session and permanent cookies, as well as Facebook pixel. Session cookies are temporary files which are stored on the User’s terminal equipment until logging out or exiting the website. Permanent cookies allow the Administrator to recognise your search engine during next visit on websites administered by the Foundation and adjusting Websites to the Users’ needs (e.g. remembering preferred language or the font size), as well as for statistical purposes. Permanent cookies remain in the memory of your peripheral equipment until deletion thereof. While using the Foundation’s Websites the User agrees to placing cookies on their computer or other equipment for the aforementioned purposes. If the User does not agree to receive cookies, they can manage and control them via settings of their search engine. However, you should remember that deleting or blocking cookies can have an impact on the manner of using Foundation’s Websites.
In order to monitor and improve the Website administered by the Foundation, summary information about Users is collected at the moment of visiting the website, in particular, details concerning the operating system, version of the search engine, name of the domain, IP address, URL address of the User, from which they visit the Foundation’s websites and to which the User goes, as well as which pages of the website have been visited. The Administrator can keep general statistics, collect data concerning the network traffic on the website and the information on related websites and share this summary data with third parties for marketing, advertising or other promotional purposes, however, this summary data does not include any personal data. For statistical purposes the Administrator uses services provided by such suppliers as: Google Analytics and Yandex metrica.
11. Social media plugins
The following social media plugins transferring Users to the Foundation’s profiles kept on social media portals: Facebook, YouTube, Instagram, Twitter and LinkedIn are used on the Websites administered by the Foundation. Due to the functionalities offered by these plugins, Users can post specific content or share it on social media. However, we would like to underline that by using these plugins data is exchanged between the User and a given social portal or website. The Administrator does not process this data and does not have knowledge on which Users’ data is collected. Therefore, we encourage you to read rules and regulations as well as privacy policies of these social media portals before using a given plugin.
12. The right to complaint
In case of stating that the rights of the natural person resulting from the legal provisions and the Policy have been infringed, Users are vested with the right to complain to the Office for Personal Data Protection with its registered office in Warsaw, at ul. Stawki 2.
13. Final Provisions
In the scope not regulated herein, the European Union and national provisions regarding personal data protection apply.
Date of the last update of the Policy: 23 marca 2020 r.