POLICY OF PERSONAL DATA PROCESSING
DEFINITIONS
• Administrator - Maja Kowalczyk running a business activity under the name Maja Kowalczyk Art with registered office in Warsaw, 2a Mysikrólika Street, 02-809 Warsaw, Tax Identification Number (NIP) 9511929055.
• Personal data - information about a natural person identified or identifiable through one or more factors specific to physical, physiological, genetic, mental, economic, cultural, or social identity, including image, voice recording, contact information, location data, the information contained in correspondence, information collected through recording equipment or other similar technology.
• Data Subject - natural person to whom the Personal Data processed by the Administrator relates.
• Policy - this Personal Data Processing Policy.
• RODO - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.
DATA PROCESSING BY THE ADMINISTRATOR
• In connection with its business activities, the Administrator collects and processes Personal Data in accordance with the relevant legal provisions, including in particular the RODO, and the data processing rules provided for therein.
• The Administrator ensures transparency of the processing of Personal Data, in particular, always informs about the processing at the time of collection, including the purpose and legal basis of the processing. The Administrator shall ensure that the Data is collected only to the extent necessary to fulfill the indicated purpose and processed only for the period of time necessary.
• When processing Personal Data, the Administrator shall ensure its security and confidentiality, as well as access to information about the processing to Data Subjects. Should a breach of the protection of Personal Data (e.g. data "leakage" or loss) occur despite the security measures in place, the Administrator shall inform the Data Subjects of such an event in accordance with the regulations.
CONTACT WITH ADMINISTRATOR
• Contact with the Administrator is possible through the e-mail address majakowalczykart@gmail.com or the mail address: 2a Mysikrólika Street, 02-809 Warsaw.
SECURITY OF PERSONAL DATA
• In order to ensure data integrity and confidentiality, the Administrator has implemented procedures allowing access to Personal Data only to authorized persons and only to the extent necessary due to their tasks. The Administrator applies organizational and technical solutions to ensure that all operations on personal data are recorded and performed only by authorized persons.
• Furthermore, the Administrator shall take all necessary steps to ensure that also its subcontractors and other cooperating entities guarantee the application of appropriate security measures whenever they process Personal Data on behalf of the Administrator.
• The Administrator shall take all necessary measures to ensure that also its subcontractors and other cooperating entities guarantee that appropriate security measures are applied whenever they process Personal Data on behalf of the Administrator.
PURPOSES AND LEGAL BASIS OF THE PROCESSING
• E-MAIL AND POSTAL CORRESPONDENCE
• In case of e-mail or traditional mail correspondence to the Administrator, unrelated to the services provided to the sender or any other contract concluded with the sender or otherwise unrelated to any relationship with the Administrator, the Personal Data contained in this correspondence is processed solely for the purpose of communication and resolution of the matter which the correspondence concerns.
• The legal basis for the processing is the legitimate interest of the Administrator (Article 6(1)(f) of the RODO), consisting of the correspondence addressed to him in connection with his or her business activities.
• The Administrator processes only Personal Data relevant to the matter to which the correspondence relates. All correspondence is stored in a manner ensuring the security of the Personal Data (and other information) contained therein and is disclosed only to authorized persons.
• CONTACT BY PHONE
• In case of telephone contact with the Administrator in matters not related to the concluded contract or the provided services, the Administrator may require the provision of Personal Data only if it is necessary for the purpose of handling the contacted matter. In such a case, the legal basis is the Administrator's legitimate interest (Article 6(1)(f) of the RODO), which consists in the necessity to resolve the reported matter related to the Administrator's business activity.
• COLLECTION OF DATA IN CONNECTION WITH THE PROVISION OF SERVICES OR PERFORMANCE OF OTHER CONTRACTS
• Where data is collected for the purposes of performing a specific contract (e.g., a commercial contract with a business partner), the Administrator shall provide the Data Subject with details of the processing of his or her personal data at the time the contract is entered into, or at the time the personal data is acquired if the processing is necessary for the Administrator to take action at the Data Subject's request, prior to entering into the contract.
• COLLECTION OF DATA IN OTHER CASES
• In connection with the business activity, the Administrator collects Personal Data also in other cases - e.g. by establishing and using permanent mutual business contacts (networking) during business meetings, at industry events, or by exchanging business cards - for the purposes of initiating and maintaining business contacts. The legal basis for the processing, in this case, is the legitimate interest of the Administrator (Article 6(1)(f) of the RODO), which consists in creating a network of contacts in connection with the conducted business activity.
• Personal data collected in such cases is processed only for the purpose for which it was collected and the Administrator ensures its adequate protection.
RECIPIENTS OF THE DATA
• In connection with conducting activities that require processing, Personal Data is disclosed to external entities, including in particular suppliers responsible for operating IT systems and equipment, entities providing legal and accounting services, couriers, etc.
• The Administrator reserves the right to disclose selected information concerning the User to competent authorities or third parties who will submit a request for such information on the basis of an appropriate legal basis and in accordance with the provisions of the applicable law.
TRANSFER OF DATA OUTSIDE THE EEA
• The level of protection for Personal Data outside the European Economic Area (EEA) differs from that provided by European law. For this reason, the Administrator transfers Personal Data outside the EEA only when necessary and with an adequate level of protection, primarily by:
• cooperating with processors of Personal Data in countries for which a relevant decision of the European Commission has been issued regarding the finding of an adequate level of protection for Personal Data;
• applying standard contractual clauses issued by the European Commission;
• use of binding corporate rules approved by the relevant supervisory authority;
• in case of transferring data to the U.S., cooperation with entities participating in the Privacy Shield program, approved by a decision of the European Commission.
PERIOD OF PERSONAL DATA PROCESSING
• The period of data processing by the Administrator depends on the type of service provided and the purpose of the processing. The period of data processing may also result from regulations when they constitute the basis for processing. If the data is processed on the basis of the legitimate interest of the Administrator (e.g. for security reasons), the data is processed for a period that enables the realization of this interest or until an effective objection to the processing is raised. Where the processing is based on consent, data is processed until the consent is withdrawn. When the basis for processing is the necessity to conclude and perform a contract, the data is processed until the contract is terminated.
• The period of data processing may be extended if the processing is necessary to establish and assert possible claims or to defend against claims, and after that time only in the case and to the extent required by law.
RIGHTS RELATED TO THE PROCESSING OF PERSONAL DATA
• RIGHTS OF THE DATA SUBJECTS
• Data subjects have the following rights:
• right to information about the processing of personal data - on this basis the Administrator provides the individual making the request with information about the processing of data, including in particular the purposes and legal basis of the processing, the scope of the data held, the entities to which the data are disclosed, and the planned date of data erasure;
• the right to obtain a copy of the data - on this basis the Administrator provides a copy of the processed data concerning the natural person submitting the request;
• right to rectification - the Administrator is obliged to rectify any inconsistencies or errors in the processed Personal Data and to complete them if they are incomplete;
• right to data erasure - on this basis, the data can be erased if its processing is no longer necessary for any of the purposes for which they were collected;
• right to restriction of processing - if such a request is made, the Administrator shall cease performing operations on the Personal Data - with the exception of operations authorized by the Data Subject - and their storage, in accordance with the adopted rules of retention, or until the reasons for the restriction of processing cease to exist (e.g. a decision is issued by a supervisory authority authorizing further processing);
• the right to data transfer - on this basis - to the extent that the data are processed by automated means in relation to the concluded contract or consent - the Administrator issues the data provided by the data subject in a computer-readable format. It is also possible to request the data to be sent to another entity, provided that there is a technical possibility to do so on the part of both the Administrator and the indicated entity;
• right to object to processing for marketing purposes - the Data Subject may at any time object to the processing of Personal Data for marketing purposes, without having to justify the objection;
• right to object to other purposes of processing - the Data Subject may at any time object, on grounds relating to his or her particular situation, to the processing of Personal Data which is carried out on the basis of a legitimate interest of the Administrator (e.g. for analytical or statistical purposes or reasons relating to the protection of property); the objection in this respect should contain a justification;
• right to withdraw consent - if the data is processed on the basis of the consent given, the Data Subject has the right to withdraw the consent at any time, which, however, does not affect the lawfulness of the processing performed before the withdrawal;
• right to file a complaint - if the Data Subject believes that the processing of Personal Data violates the provisions of the RODO or any other regulations concerning the protection of Personal Data, the Data Subject may file a complaint with the supervisory authority supervising the processing of Personal Data, which has jurisdiction over the Data Subject's habitual residence, place of work or the place where the alleged infringement occurred. In Poland, the supervisory authority is the President of the Office for Personal Data Protection.
SUBMISSION OF REQUESTS REGARDING THE EXERCISE OF RIGHTS
• A request concerning the exercise of the Data Subjects' rights can be made:
• in writing to: 2a Mysikrólika Street, 02-809 Warsaw;
• via e-mail to: majakowalczykart@gmail.com
• If the Administrator is unable to identify the natural person on the basis of the submitted request, he/she will ask the requester for additional information. Providing such data is not mandatory, however, failure to provide it will result in refusal to process the request.
• The request may be submitted in person or by a representative (e.g., family member). For the reason of data security, the Administrator encourages to use the power of attorney in the form certified by a notary public or an authorized legal counsel or attorney, which will significantly accelerate the verification of the authenticity of the request.
• The request should be answered within one month of its receipt. If it is necessary to extend this period, the Administrator shall inform the requester of the reasons for such action.
• The request should be answered within one month of its receipt. If it is necessary to extend this period, the Administrator shall inform the requester of the reasons for such action. If the request has been addressed to the Administrator electronically, the response shall be provided in the same form, unless the applicant has requested a response in a different form. In other cases, the response shall be provided in writing. If the deadline for completing the request makes it impossible to provide a written response, and the scope of the applicant's data processed by the Administrator enables electronic contact, the response shall be provided electronically.
• The Administrator shall store information regarding the submitted request and the person who submitted the request, in order to ensure that compliance can be demonstrated and for the purpose of establishing, defending, or asserting possible claims of data subjects. The log of requests shall be stored in a manner that ensures the integrity and confidentiality of the data contained therein.
CHANGES TO THE PRIVACY POLICY
• This Policy shall be reviewed on an ongoing basis and updated when necessary.
• The current version of the Policy has been adopted and is effective from 17.05.2021
