PRIVACY POLICY

Thank you for your interest in our company. Data protection is of particular importance for the management of Heller Consult Sp. z o.o. and we make efforts to protect your data as much as possible. Using the websites of Heller Consult Sp. z o.o. is generally possible without providing personal data. However, if the person concerned wants to use our special services through our website, personal data processing may be required. If processing of personal data is required and there is no legal basis for such processing, we usually seek the consent of the data subject.

Processing of personal data, such as the name, address, e-mail address or telephone number of the data subject is always in accordance with the General Data Protection Regulation and in accordance with national data protection regulations in force at Heller Consult Sp. z o.o. Thanks to this privacy policy our company tries to inform the public about the nature, scope and purpose of collected, used and processed personal data. Moreover, the data subjects are informed about their rights resulting from this privacy policy.

As an Administrator, Heller Consult Sp. z o.o. has implemented technical and organizational measures to ensure the highest possible protection of personal data processed through this website. Nevertheless, Internet data transmissions can generally have gaps in security, so absolute protection cannot be guaranteed. For this reason, any interested person wishing to use our special services may provide us with personal data (contact details) in other ways, for example by telephone.

The privacy policy of Heller Consult Sp. z o.o. is based on the terminology used by the European directive and the regulatory body for the adoption of the General Regulation on Personal Data Protection (GDPR). Our privacy policy should be easy to read and understand for the public as well as for our customers and business partners. To ensure this, we would like to clarify the terminology used in advance.

Definitions

Administrator

The Administrator is a natural or legal person, public authority or body which alone or jointly with others decides on the purposes and means of processing personal data. Where the purposes and means of such processing are laid down in Union law or in the law of the Member States, the Administrator or specific criteria for its designation may be provided for in Union or national law.

Processor

A processor who is a natural or legal person, public authority, agency or other entity processing personal data on behalf of the controller.

Recipient

Recipient is a natural or legal person, agency or other entity to whom personal data have been disclosed, regardless of whether it is a third party. Government bodies which may receive personal data in accordance with EU or national law in relation to a specific mission are not considered as beneficiaries.

Third party

A third party is a natural or legal person, a public authority or body other than the data subject, the controller, the processor and persons directly authorized by the controller or processor to process personal data.

Personal data

Personal Data is any information relating to an identified or identifiable natural person, hereinafter referred to as “interested party” or “User”. An individual is considered to be identifiable, directly or indirectly, in particular by association with an identifier such as name, identification number, location data, online identifier, or by one or more specific characteristics including physical or physiological condition, and when the individual’s genetic, mental, economic, cultural or social identity can be identified.

Person concerned, data subject, User

Any identified or identifiable natural person whose personal data is processed by the Administrator.

Consent

Consent is any freely given and unambiguously expressed in the form of a statement or other unambiguous act confirming by means of it, by the data subject, in this particular case that the data subject agrees to the processing of personal data.

Processing of data by the Administrator

Processing of data by the Administrator means that any process or series of operations in connection with personal data such as collecting, collecting, organizing, storing, adapting or modifying, reading, questioning, using, with or without the help of automated procedures; disclosure by submission, dissemination or otherwise ensuring, linking, limiting, deletion or destruction.

Service

Website (site), whose Administrator is Heller Consult Sp. z o.o.

Limitation of processing

The limitation of processing is marking the stored personal data in order to limit their further processing.

Data profiling

Profiling is any kind of automated processing of personal data which involves the use of such personal data to evaluate certain personal aspects concerning an individual, in particular those relating to his or her work, economic situation, health, personal characteristics, as well as to analyze or anticipate his or her preferences, interests, behavior, whereabouts or changes of location.

Pseudonymization

Pseudonymization involves processing personal data in such a way that personal data can no longer be attributed to a particular data subject without the need for additional information, provided that such additional information is stored separately and is subject to technical and organizational measures to ensure that personal data is not attributed to an identified or identifiable natural person. Pseudonymization is a means of implementing anonymization of personal data.

Name and address of the Administrator

The Administrator of personal data responsible in the sense of the general regulation on data protection and other regulations on data protection in the Member States of the European Union and other regulations on data protection is:

  • Heller Consult Sp. z o.o.
  • Chałubiński 8 Street, 36th
  • 00-613 Warsaw,
  • Poland
  • phone: +48 22 501 45 10
  • fax: +48 22 621 80 53
  • e-mail: hc@heller-consult.pl
  • website: https://heller-consult.pl/

Contact details of the Data Protection Officer

  • Personal Data Protection Inspector
  • Chałubiński 8, 36th
  • 00-613 Warsaw,
  • Poland
  • phone: +48 22 501 45 10
  • e-mail: inspektorochronydanychosobowych@heller-consult.pl

Any data subject may contact our Data Protection Officer at any time with any questions or suggestions regarding data protection.

Objectives and legal basis of data processing

The Administrator collects personal data for marketing purposes, including the extent necessary to provide the services offered, as well as statistical information about the activity of Users on the website owned by the Administrator. Personal data of all persons who have agreed to receive marketing content in the form of a newsletter or (including IP address or other identifiers and information collected through cookies or other similar technologies) are processed by the Administrator:

For the purpose of providing services by electronic means – to the extent of the content made available in connection with initiatives related to the Administrator’s activity or, in justified cases, information concerning the Administrator;

In order to make contact forms available for the purposes of offers – then the legal basis for the processing is the necessity of the processing for the performance of the contract (Article 6(1)(b) of the GDPR);

For analytical and statistical purposes – then the legal basis for the processing is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR) consisting in conducting analyses of Users’ activity as well as their preferences in order to improve the applied functionalities and provided services;

For marketing purposes of the Administrator – The rules of personal data processing for marketing purposes are described in the section “Marketing”.

Contact forms (and handling the data acquired through the form). The Administrator provides the possibility of establishing contact with the use of electronic contact forms on the websites he owns. The use of the form requires providing personal data necessary to contact the User and answer the query. The User may also provide other data in order to facilitate contact or handling the inquiry. Providing data marked as obligatory is required in order to accept and handle the inquiry, and failure to provide such data results in a lack of possibility to handle the inquiry. Providing other data is voluntary.

Data from the contact forms are processed in order to identify the sender and to handle his inquiry sent by the form provided – the legal basis for the processing is the necessity of the processing for the performance of the service contract (Article 6(1)(b) of the GDPR);

For analytical and statistical purposes – the legal basis for the processing is the legitimate interest of the Administrator (Article 6(1)(f) of the GDPR) in keeping statistics of queries submitted by the Users.

The Administrator processes Users’ personal data in order to carry out marketing activities, which may consist in:

  • providing Users with marketing content electronically corresponding to their interests;
  • sending e-mail notifications of interesting offers or content, which in some cases contain commercial information;
  • conducting other activities related to direct marketing of goods and services (sending commercial information electronically and by telephone).

Profiling

In order to carry out marketing activities the Administrator in some cases uses profiling. This means that thanks to automatic data processing, the Administrator evaluates selected factors concerning the User in order to provide information in accordance with his/her preferences as well as to collect statistical information.

The website of Heller Consult Sp. z o.o. collects a series of general data and information each time the User accesses it. These general data and information are stored in server log files. They concern information including:

  1. types and versions of browsers,
  2. the operating system used by the access system,
  3. a website, from which the access system gains access to our website (so-called Resellers),
  4. subnetwork pages that can be accessed through (5) the date and time of access to the website,
  5. Internet protocol address (IP address),
  6. the Internet access system provider and other similar data and information used in case of attacks on our information systems.

Using this general data and information, the Administrator does not draw conclusions about the person concerned. Rather, this information is required in order to

  • correctly deliver the content of our website,
  • optimize the content of our website and its advertising,
  • ensure the continued operation of our information systems and website technology, and
  • provide law enforcement agencies with the information necessary to enforce the law in case of a cyber-attack.

These anonymously collected data are statistical data and are further evaluated by the controller to increase data protection and data security in our company in order to ultimately ensure the best possible level of protection for the personal data we process. Anonymous data from server log files are stored separately from all personal data provided by the person concerned.

Cookies

The Administrator processes data, including personal data collected through the use of cookies and other similar technologies, for marketing purposes in order to obtain statistical information about Users’ preferences. The Administrator his own cookies and those belonging to external entities, according to the disposition of the Telecommunication Law of 16 July 2004. Processing of personal data includes profiling of the Users, however, statistical information does not allow to identify individual Users.

The use of the data collected through this technology for marketing purposes is based on the legitimate interest of the Administrator and only on the condition that the User has consented to the use of cookies. Consent to the use of cookies can be expressed through an appropriate configuration of the browser, and can be withdrawn at any time, in particular by clearing the history of cookies and disabling cookies in the settings of the browser, which is included in the Rules of cookies.

Direct marketing.

If the User has agreed to receive marketing information via an e-mail and other electronic means of communication, the User’s personal data will be processed to send such information. The basis for data processing is the justified interest of the Administrator, consisting in sending marketing information within the limits of the consent given by the User (direct marketing). The User has the right to object to the processing of data for the purposes of direct marketing, including profiling. The data will be stored for this purpose for the duration of the legitimate interest of the Administrator, unless the User objects to receiving the marketing information.

Social networking sites.

The Administrator processes personal data of the Users visiting the Administrator’s profiles in social media: LinkedIn, Facebook, Twitter, and profiles maintained on other portals whose Administrator is Heller Consult Sp. z o.o. These data are processed only in connection with maintaining the profile, in order to inform the User about the Administrator’s activity and to promote various events, services and products, as well as to communicate with the User through the functionalities available in social media. The legal basis for the Administrator’s processing of personal data for this purpose is his legitimate interest (Article 6.1.f of the GDPR) consisting in promoting his own brand and building and maintaining a community connected with the brand.

Acquiring statistical data.

The Administrator and other entities providing services to the Administrator uses cookies used to monitor the website traffic, i.e. data analytics, including Google Analytics cookies (these are files used by Google to analyze the way the website is used by the User, to create statistics and reports on the website operation). Google does not use the collected data to identify the User, nor does it link this information in order to enable identification. Detailed information on the scope and principles of data collection in connection with this service can be found at: https://www.google.com/intl/pl/policies/privacy/partners. The data is collected through the Administrator’s services and the processing is secured by the anonymization of the User’s data, which is provided by the processing entity (processor). The Administrator does not collect data in order to track Users in the network, does not use the tools enabling such activities and does not carry out activities related to cooperation with other entities aimed at obtaining such information.

Routine deletion and blocking of personal data.

The Administrator processes and stores your personal data only for the period necessary to achieve the purpose of storage or, as the case may be, by European directives or regulations or by any other legislator in laws or regulations that provide for different conditions of storage period.

If the purpose of storage is omitted or the storage period specified in the European directives and regulations or by any other relevant national legislation expires, personal data will be routinely blocked or deleted in accordance with statutory provisions.

Data storage period.

The period of data processing by the Administrator depends on the type of service provided and the purpose of processing. As a rule, the data are processed for the duration of the service or the execution of the order, until the withdrawal of the consent or effective objection to data processing in cases where the legal basis for data processing is the legitimate interest of the controller. The period of data processing may be extended if the processing is necessary to establish and pursue possible claims or defences against them, and after that time only if and to the extent required by law. After the processing period has expired, the data are irreversibly deleted or rendered anonymous.

User rights.

Every User (interested person) who agrees to have his data processed by Heller Consult Sp. z o.o. has the right to:

Right to confirm.

Each data subject (interested party, User) has the right, as acknowledged by the European regulatory authorities, to require the Administrator to check whether his or her personal data are being processed. If the person concerned wishes to exercise this right of confirmation, he or she may contact an employee of the controller at any time.

The right to information about the processing of personal data.

Every person concerned by the processing of personal data has the right, at any time, to obtain from the controller information about the personal data stored about him and a copy of this data. On this basis, the person making such a request shall be provided by the Administrator with information about the processing of personal data which may include:

  • processing objectives,
  • categories of personal data processed,
  • the recipients or categories of recipients to whom the personal data have been or are about to be disclosed, in particular to recipients in third countries or international organisations,
  • if possible, the planned duration of personal data storage or, if this is not possible, the criteria for determining this duration,
  • the existence of the right to rectify or delete personal data concerning the person or to restrict the processing by the person responsible or to object to such processing,
  • the existence of the right to appeal to the supervisory authority,
  • if personal data is not collected from the data subject: All available information about the data source,
  • the existence of automated decision making, including profiling in accordance with Article 22(1) and (4) of the General Data Protection Regulation (GDPR), and, at least in those cases, the existence of relevant information on the logic and extent or intended impact of such processing on the data subject. Furthermore, the data subject has the right of access to personal data transferred to a third country or international organization. In this case, the data subject has the right to be informed about the appropriate safeguards for the transfer.

If the person concerned wishes to exercise this right of rectification, he or she may contact an employee of the Administrator at any time.

Right of rectification

Every data subject (User) involved in the processing of personal data has the right granted by the European legislator to demand immediate correction of inaccurate personal data concerning him/her. Furthermore, the data subject has the right to request the filling in of incomplete personal data, including by means of a supplementary notification, taking into account the purposes of the processing.

If the person concerned wishes to exercise this right of rectification, he or she may contact a member of the controller at any time.

Right of appeal (right to be forgotten)

Every person subject to the processing of personal data has the right granted by the European directives and regulatory authorities to request from the controller the immediate deletion of personal data concerning him or her, provided that one of the following reasons is met and the processing is not required:

  • Personal data has been collected for such purposes or otherwise processed for which it is no longer required.
  • The data subject withdraws the consent on the basis of which the processing was carried out in accordance with Article 6 paragraph 1a) Article 9 paragraph 2a) and has no other legal basis for the processing.
  • The data subject objects to the processing and has no legitimate grounds for processing or data objects.
  • Personal data has been unlawfully processed.
  • The erasure of personal data is necessary to fulfil a legal obligation under EU or national law to which the controller is subject.

If one of the above reasons is correct and the interested party wants to start deleting personal data stored by Heller Consult Sp. z o.o., he can contact the Administrator’s employee at any time. The employee of Heller Consult Sp. z o.o. will organize the immediate fulfillment of the request for help.

If the personal data have been made public by Heller Consult Sp. z o.o. and if our company as a responsible person is obliged to delete the personal data in accordance with Article 17 paragraph 1 of the General Data Protection Regulation (GDPR), Heller Consult Sp. z o.o. takes appropriate actions, taking into account the available technology and costs of implementation also of a technical nature, to inform other data Administrators who process published personal data that the data subject has requested removal of all links to these personal data or their copies or replicas, if processing is not required. An employee of Heller Consult Sp. z o.o. will order the necessary steps in individual cases.

Right to limit processing

Each User concerned by the processing of personal data has the right, granted by the European Directive and the regulatory authority, to require the Administrator to limit the processing if one of the following conditions applies:

  • The accuracy of the personal data is questioned by the data subject for a certain period of time, which allows the Administrator to verify the accuracy of the personal data.
  • The processing is illegal, the data subject refuses to delete the personal data and instead demands the restriction of the use of the personal data.
  • The Administrator no longer needs personal data for the purposes of processing, but the data subject requires him/her to pursue, execute or defend legal claims.
  • The person concerned has reservations about the processing in accordance with Article 21.1 of the General Data Protection Regulation (GDPR) and it is not yet clear whether the legitimate reasons of the responsible person are more important than the interests of the person concerned.

If one of the above mentioned conditions is met and the interested party wishes to ask for a limitation of personal data stored by Heller Consult Sp. z o.o., he may contact the Administrator’s employee at any time. The employee of Heller Consult Sp. z o.o. will initiate the limitation of processing.

Data transferability

Every person covered by the processing of personal data has the right, resulting from the European directives and regulations, to obtain personal data, which concern him/her, provided to the Administrator by the data subject in a structured, common and readable computer format. The person also has the right to transfer these data to another Administrator without hindrance from the Administrator to whom the personal data have been transferred, if it is technically feasible, and if so, it does not affect the rights and freedoms of other persons. The condition is that processing is based on compliance with Article 6(1)(a) of the General Data Protection Regulation (GDPR) or Article 9(2)(a) of the General Data Protection Regulation (GDPR) or on a contract in accordance with Article 6(1)(b) of the General Data Protection Regulation (GDPR) and processing is carried out by automated means. The exception to this is processing if it is necessary for the performance of a public service task or a task of public authority that has been entrusted to the Administrator.

In order to assert the right to data transfer, the data subject can contact an employee of Heller Consult Sp. z o. o. at any time.

Right to object

Any person concerned by the processing of personal data has the right granted by the European legislative authority to object to the processing of his or her personal data at any time on grounds of a particular situation pursuant to Article 6(1)(e) or (f) of the General Data Protection Regulation (GDPR). This also applies to profiling based on these provisions.

In case of objection, Heller Consult Sp. z o.o. will no longer process the personal data, unless we are able to prove the essential reasons for the processing which deserve to be protected and which outweigh the interests, rights and freedoms of the data subject or the processing is intended to establish, execute or defend legal claims.

If Heller Consult Sp. z o.o. processes personal data for the purpose of direct correspondence, the data subject has the right to object to the processing of personal data for the purpose of such advertising at any time. This also applies to profiling, as far as it is related to such direct correspondence. If the data subject registers with Heller Consult Sp. z o.o. in order to stop direct marketing, Heller Consult Sp. z o.o. will not process personal data for these purposes.

Furthermore, the data subject has the right to object to the processing of personal data concerning him/her for scientific or historical purposes or for statistical purposes in accordance with Article 89(2). The data subject has the right to object to the processing of personal data relating to him/her for scientific or historical purposes or for statistical purposes in accordance with Article 89(1) of the General Data Protection Regulation (GDPR), unless such processing is necessary for the fulfilment of a public interest task.

In order to exercise the right to object, the person concerned may contact an employee of Heller Consult Sp. z o. o. directly.

Automatic decisions on a case by case basis, including profiling

Any data subject concerned by the processing shall have the right conferred by the European legislative authority not to be subject to a decision based solely on automated processing, including profiling, which produces a legal effect on him or her or similarly significantly affects him or her, where the decision (1) is necessary for the conclusion or performance of a contract between the data subject and the controller or (2) is authorized by the legislation of the European Union or of the Member States to which the controller is subject and that legislation provides for appropriate measures to protect the rights and freedoms and legitimate interests of the data subject or (3) with the explicit consent of the data subject.

If a decision (1) is required for the conclusion or execution of a contract between the person in question and the person in charge or (2) is made with the express consent of the data subject, Heller Consult Sp. z o.o. shall take appropriate measures to protect the rights and freedoms as well as the legitimate interests of the data subject, including at least the right of the person to intervene with the Administrator, to express his own position and to challenge his decision.

The right to withdraw consent for the protection of personal data

Every person, subject to the processing of personal data, has the right, granted by the European Directive and the regulatory authority, to revoke his or her consent to the processing of personal data at any time. If the data subject wants to assert his right to withdraw his consent, he can contact an employee of the Administrator at any time.

Right of complaint

In case the processing of personal data is considered to be in breach of the provisions of the GDPR or other regulations on personal data protection, the data subject may lodge a complaint with the President of the Office for Personal Data Protection.

Data protection in application documents and recruitment process

The Administrator collects and processes candidates’ personal data in order to process them into the application process. The processing can also be done electronically. This is particularly the case if the candidate submits the relevant application documents to the Administrator by electronic means, for example, by e-mail of the web form available on the website. If the Administrator concludes an employment contract with the candidate, the data provided will be stored for the purposes of the employment relationship in accordance with the law. If the data Administrator does not conclude any employment contract with the candidate, the application documents will be automatically deleted two months after the announcement of the rejection decision, unless the deletion excludes other justified interests of the Administrator. Other legitimate interests in this sense include, for example, the burden of proof under the procedure, under the general equal treatment act (GDPR).

Privacy Policy for the use of Google Analytics

This website uses the “Google Analytics” service provided by Google Inc. (1600 Amphitheatre Parkway Mountain View, CA 94043, USA) to analyze the Users’ use of the website (service). The service uses “cookies” – text files stored on the device. The information collected by cookies is usually sent to a Google server in the USA and stored there.

This page gives an access to IP anonymization. Users’ IP address is shortened in the EU Member States and the European Economic Area. This reduction eliminates the personal reference of your IP address. In accordance with the terms of the agreement that the website operators have concluded with Google Inc., they use the information collected to compile an evaluation of the website activity and to provide Internet services.

It is possible to prevent the storage of cookies on person’s device by making appropriate settings in the browser. There is no guarantee that the person will be able to access all the functions of this website without restrictions if the browser does not allow cookies.

In addition, the person can use the browser plugin to prevent the information collected by cookies (including your IP address) from being transferred to and used by Google Inc. The following link leads to the corresponding plug-in: https://tools.google.com/dlpage/gaoptout?hl=en-GB.

Here is more information about the use of Google Inc. data: https://support.google.com/analytics/answer/6004245?hl=en

Click here to disable Google Analytics http://tools.google.com/dlpage/gaoptout.

Legal basis for processing

Art. 6 l (a) of the General Data Protection Regulation (GDPR) serves as a legal basis for processing operations in which we obtain consent for a specific purpose of processing. If the processing of personal data is necessary for the performance of a contract to which the data subject is a party, as is the case, for example, in processing operations necessary for the delivery of goods or the provision of any other service or provision, the processing is based on: Article 6 I (b) of the General Data Protection Regulation (GDPR). The same principle applies to processing operations that are necessary for the performance of pre-contractual activities, for example, in case of inquiries about our products or services. If our company is subject to a legal obligation that requires the processing of personal data, e.g. the fulfillment of tax obligations, the processing is based on Article 6 I (c) of the General Data Protection Regulation (GDPR). In rare cases, the processing of personal data may be required in order to protect the vital interests of the data subject or another individual. This would be the case, for example, if a visitor is injured and his name, age, health insurance or other relevant information has to be given to a doctor, hospital or other third party. The processing of data would then be based on Article 6 I (d) of the General Data Protection Regulation (GDPR). Finally, the processing of data may be based on Article 6 I (f) of the General Data Protection Regulation (GDPR). On this legal basis, processing operations which are not covered by any of the above legal bases are required if the processing is necessary to protect the legitimate interests of our company or a third party, unless the interests, fundamental rights and fundamental freedoms of the data subject prevail. Such processing operations are specifically allowed to us because they are explicitly mentioned by a European legislative authority.

Legitimate interests in the processing, which are exercised by the Administrator or a third party.

If the processing of personal data is based on Article 6 I (f) of the General Data Protection Regulation (GDPR), it is our legitimate interest to conduct our business for the benefit of all our employees and our shareholders.

Duration of personal data storage

The criterion for the storage period of personal data is the relevant statutory storage period. After this period, the relevant data will be routinely deleted if it is not necessary to fulfil the conditions of the contract or its conclusion.

Legal or contractual regulations concerning the provision of personal data; the necessity to conclude a contract; the obligation of the data subject to provide personal data; possible consequences of non-delivery.

We explain that providing personal data is partially required by law (e.g. Tax regulations) or also results from contractual regulations (e.g. Information about the contracting party).

Existence of automatic decision making

As a responsible company we refrain from automatic decision making or profiling.

Conclusions.

User requests for actions described in the section “User Privileges” can be directed:

  • in electronic form. Through the e-mail account from which the consent to the processing of data by the User was given, to the address inspektorochronydanych@heller-consult.pl.
  • In written form. To the administrator’s mailing address: Heller Consult Sp. z o.o. 8 Chałubińskiego Street, 00-613 Warsaw with the note “User data request”.

The application should specify what kind of data operation is involved (obtaining a copy of the data, limiting the processing), what kind of processing is involved in the request (e.g. use of a specific service, activity on a specific website, receiving a newsletter containing commercial information to a specific email address, etc.). If the Administrator is not able to determine the request on the basis of the information received from the User, a contact will be made with the User in order to clarify the information. The answer to the request will be given to the e-mail address from which the consent to data processing was given, and in the case of consents sent by letter, by ordinary letter within 30 calendar days of receiving the request. If it is necessary to extend this deadline, the Administrator will inform the applicant of the reasons for the extension.

Personal data security.

The Administrator takes all necessary steps to ensure that also his subcontractors and other cooperating entities guarantee the application of appropriate security measures whenever they process personal data on the Administrator’s behalf. The Administrator conducts risk analysis on an ongoing basis to ensure that personal data are processed by him/her in a safe manner – ensuring, above all, that only authorized persons have access to the data and only to the extent necessary due to the tasks they perform. The Administrator makes sure that all operations on personal data are registered and performed only by authorized employees and co-workers.

Control of policy changes

The privacy policy is reviewed on an ongoing basis and updated when necessary.