Valid form: 31 August 2021
Data controller of the personal data
- Data controller of the personal data provided during using this Website, services or training on www.paragona.com/academy is Paragona Polska spółka z ograniczoną odpowiedzialnością spółka komandytowa (limited partnership with limited liability company as a partner), with its registered office in Warsaw, Aleja Jana Pawła II 29, 00-867 Warsaw, entered into the Register of Entrepreneurs of the National Court Register kept by the District Court for the Capital City of Warsaw in Warsaw, 12th Commercial Division – National Court Register under KRS number: 0000208952, REGON 015748340, NIP (Tax Identification Number): 526277185, e-mail: firstname.lastname@example.org
- Personal data are processed in accordance with applicable law, especially: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation/GDPR), which is EEA relevance (Official Journal of the European Union – L 119/184.108.40.2066).
1. Controller – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data, i.e.: Paragona Polska spółka z ograniczoną odpowiedzialnością spółka komandytowa (limited partnership with limited liability company as a partner), with its registered office in Warsaw, Aleja Jana Pawła II 29, 00-867 Warsaw, entered into the Register of Entrepreneurs of the National Court Register kept by the District Court for the Capital City of Warsaw in Warsaw, 12th Commercial Division – National Court Register under KRS number: 0000208952, REGON 015748340, NIP (Tax Identification Number): 526277185, e-mail: email@example.com
3. Personal data – any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
4. Recipient – a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
5. Processor – a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
6. Processing – any operation or set of operations which is performed on personal data or on sets of personal data, such as collection, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
7. Website/Internet service – a website available at www.paragona.com, which through the User can view its content, contact the data administrator, including registering to apply for training or recruitment.
8. User/Data subject – a natural person about whom a controller holds personal data and who can be identified, directly or indirectly, by reference to the personal data, including a person applying for training or recruitment, also persons contacting via messages (messenger) sent on the Fanpage – Facebook “@ paragona.academy” or via the contact details on the Website.
The purposes of the processing
- The controller processes data for the following purposes:
a) performance of the contract, if processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract, i.e.: application for training, providing data for the conclusion of the contract and its implementation, based on Article 6(1) point (b) GDPR,
b) recruiting for vacant positions, based on Article 6(1) point (a) GDPR, i.e.: the data subject has given consent to the processing of his or her personal data for one or more specific purposes. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal,
c) answering the question asked via the contact details available on the Website or through social media, based on Article 6(1) point (b) GDPR, i.e.: if processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract,
d) documenting the contract, services or training, including issuing an invoice or invoice for a natural person, keeping accounting and tax documentation, based on Article 6(1) point (c) GDPR, i.e.: processing is necessary for compliance with a legal obligation to which the controller is subject, especially on the basis of Polish law (Article 70 of the Act of August 29, 1997 Tax Ordinance (Dz. U. 1997 Nr 137 poz. 926) or any relevant act in the future,
e) sending ordered commercial information by electronic means (newsletter) to the User’s e-mail address, based on Article 6(1) point (a) GDPR, i.e.: the data subject has given consent to the processing of his or her personal data for one or more specific purposes,
f) if processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child, based on Article 6(1) point (f) GDPR.
2. The personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed, based on Article 5(1) point (c) GDPR, i.e.: data minimisation.
3. Providing data is necessary for the purpose of conclusion and implementation of contracts, keeping accounting records, participate in recruitment, pursue claims, as well as to answer questions.
4. Failure to provide the required data prevents the correct performance of the contract, issuing an invoice, participation in the recruitment procedure, answering questions. Providing other data is voluntary.
The period of data processing – storage limitation
The period of data processing by the controller depends on the purpose of the processing:
a) in order to perform the contract, including training – for the duration of the contract and 5 years from the end of the calendar year in which the tax payment deadline expired – based on Article 70 of the Act of August 29, 1997. Tax Ordinance, in connection with the accounting documents issued by the personal data administrator,
b) in order to issuing invoices – 5 years from the end of the calendar year in which the tax payment deadline expired – based on Article 70 of the Act of August 29, 1997. Tax Ordinance,
c) in order to answering questions (inquiries, information about training, dates, prices, etc.) – personal data are processed only for the period necessary to provide an answer, but not longer than 6 months from the date of receipt of the inquiry, unless a contract has been concluded between the personal data controller and the data subject or the data subject has not consented to further processing,
d) in order to send the ordered commercial information by electronic means (newsletter) to the e-mail address provided by the User, but no longer than to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal,
e) in order to pursue claims by the data controller or the data subject, based on Article 6(1) point (f) GDPR, the period of pursuing claims may depend on the current f) legal regulations that allow it in the EEA,
g) in order to recruit for vacant positions until the consent for future recruitment is withdrawn by the data subject,
h) in the case of data processing for other purposes, the data will be kept for the period necessary to achieve this purpose, about which the User will be informed.
The recipients or categories of recipients of the personal data.
- The personal data may be available only to entities authorised or with consent of data subject.
- The personal data of the data subject may be entrusted to other entities in order to provide services at the request of the data controller, in particular for the purpose of:
a) website hosting and e-mail maintenance,
b) accounting services and tax settlements of the data administrator by an external entity (accounting office),
c) maintaining IT systems in which they are processed, including systems for issuing invoices, newsletter service, contract archiving, etc.,
d) sending correspondence through a courier service broker.
- The personal data of the User who makes electronic payments to the data administrator, in particular in connection with access to training, will be made available to electronic payment operators referred to in the T&Cs – the present terms and conditions, which provide provision of electronic services, specifying the rules of making purchases in the online Store.
- The processing of User’s data outside the EEA may also be related to the use by the administrator of personal data from IT systems whose servers are located outside the European Economic Area, in particular in the United States of America (USA) and United Kingdom (UK), and this processing takes place on the basis of standard contractual clauses regarding the transfer of data to third countries, concluded between the personal data administrator and the solution provider, or on the basis of a positive decision of the European Commission stating an adequate level of protection for the United Kingdom (Commission implementing decision of 28.6.2021 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom).
The rights of data subjects
The data subject shall have the right:
- to access to the personal data, and a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs,
- to rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement,
- to data portability, in a structured, commonly used and machine-readable format, where the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and (b) the processing is carried out by automated means,
- to erase / be forgotten, especially if the data subject withdraws consent on which the processing is based, the personal data have been unlawfully processed,
- to restriction of processing, especially if the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; the data subject has objected to processing pursuant to Article 21(1) GDPR, pending the verification whether the legitimate grounds of the controller override those of the data subject,
- to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal,
- to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions,
- the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, except for the situations indicated in Article 22(1) GDPR,
- to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, also the following information: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; where the personal data are not collected from the data subject, any available information as to their source, based on Article 15 GDPR,
- to lodge a complaint with a supervisory authority – in Poland it is Urząd Ochrony Danych Osobowych (UODO)/Personal Data Protection Office, ul. Stawki 2, 00-193 Warszawa/Warsaw, Poland, or to any relevant supervisory authority in the European Economic Area, especially in the country of residence the subject data, if the data processing violates the provisions of the General Data Protection Regulation (GDPR).
The data source
The personal data are collected directly from the subject data, especially via the contact forms on the website, as well as electronic or traditional means of communication.