Privacy policy and the processing of personal data at EC2

Below we present information on the collection and use of personal data provided to us and the use of cookies and other technologies as part of the website available at www.ec2.pl (“Website”).

The rules for the protection of personal data are regulated by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (hereinafter: GDPR).

Administrator of your personal data

The administrator of personal data processed as described below is EC2 S.A. with headquarters in Warsaw, Okopowa 47 Street, 01-059 Warsaw, KRS: 0000480272 or a subsidiary of EC2 S.A. with its seat in Warsaw, i.e. Tech Med House sp. z o. o. with its seat in Warsaw, Okopowa 47 Street, office 23, 01-059 Warsaw, KRS: 0000856343, which is a party to the contract for the provision or receipt of services or the entity that was contacted (hereinafter: “EC2” or “we”).

Type of personal data processed

In order to answer a question asked by you or to answer an attempted contact, we may access your personal data: name and surname, email address, telephone number. We use this data to contact you.

Personal data, such as name, surname, e-mail address, telephone number, company name or position held, are also collected and processed if you decide to voluntarily complete the questionnaires and forms provided by us.

When you visit our website, the IP address assigned to you is automatically recorded and then used to measure website traffic patterns and statistics. IP addresses are not stored on an individual level.

Who do we transfer personal data to?

We may transfer your personal data to our subcontractors – entities whose services we use to process data in order to achieve our goals.

Your personal data may be transferred to the following categories of recipients:

­— service providers supplying the Data Administrator with technical and organizational solutions enabling the management of the Data Administrator’s organization, including entities operating ICT systems or providing the Data Administrator with ICT tools (in particular ICT service providers, courier and postal companies),

— providers of legal and advisory services and supporting the Data Administrator in pursuing due claims (in particular law firms);

— companies from the EC2 Group;

— other entities and bodies to which the Data Administrator is obliged or authorized to provide personal data on the basis of generally applicable law.

Data transfer to third countries or international organizations

Some of our subcontractors may transfer your personal data outside the European Economic Area (EEA).

Due to our use of services, incl. Google Analytics, Facebook, LinkedIn, your personal data may be transferred outside the EEA, including the USA. Please be advised that the above entities are bound by standard contractual clauses (EU model clauses regarding the transfer of personal data between the Data Controller and processors). We encourage you to familiarize yourself with the data protection safeguards applied by the above-mentioned entities.

What is the purpose and legal basis for processing and the period of data storage

We process your personal data only for the purposes set out below and in accordance with the legal grounds set out below.

The data provided by you is stored only for the period necessary to achieve the specific purpose for which it was sent or to comply with the law. If the basis for data processing is the necessity to conclude and perform the contract, your data is stored by the Administrator until its termination.

The personal data of persons designated for contact or otherwise involved in the performance of the contract provided to the Administrator on behalf of the client or contractor of the Data Administrator are processed for the period necessary to implement the legitimate interests of the Data Administrator.

The period of data storage may be extended if the processing of your data proves necessary to establish or pursue claims or defend the Data Administrator against claims.

If you consent to the use of your personal data for marketing purposes, we will provide you with information of this nature until the consent is withdrawn.

You have the right to withdraw your consent at any time.

Purposes for which we process your personal data:

  1. answering the question you asked; legal basis: in the event of voluntary provision of personal data, you consent to their use in order to answer the question asked (article 6 section 1 letter a of GDPR); the processing of your data in order to answer the questions sent and conducting further correspondence results from our legitimate interest (article 6 section 1 letter f of GDPR). After the end of contact, your personal data will be processed on the basis of our legitimate interest, which is archiving correspondence with you, i.e. pursuant to article 6 section 1 letter f of GDPR; providing your data is voluntary, but necessary to get an answer to the question and contact us;
  2. analysing the survey responses / results (if you choose to voluntarily participate in the survey) and improving our services based on these responses / results; legal basis: if you participate in the survey, you consent to the use of your personal data for the above-mentioned purpose, and we process your personal data based on our legitimate interest, which is to use the results of the analysis of responses / survey results for the purposes provided for in the survey, in which you took part, so pursuant to article 6 section 1 letter f of GDPR; providing your data is voluntary, but necessary to take part in the survey;
  3. management of subscriptions to online events and events; legal basis: in the event of voluntary provision of personal data, you consent to the use of your personal data for the purpose indicated above, and we process your personal data on the basis of our legitimate interest, which is the efficient management of subscriptions for online events and events, i.e. pursuant to article 6 section 1 letter f of GDPR; providing your data is voluntary, but necessary to sign up for online events and events;
  4. improving and optimizing the website, also in the field of anonymizing personal data in order to conduct collective data analyses on how our website is used, including: analysis of the number of views, traffic flow, use of the search function; legal basis: EC2’s legitimate interest in improving our website and the quality of services provided, i.e. pursuant to article 6 section 1 letter f GDPR. More information can be found below in the “Cookies” section;
  5. provision of services, correspondence, conclusion or performance of a contract; legal basis: our legitimate interest in concluding or performing contracts, fulfilling legal obligations or conducting business correspondence and in order to establish, assert or defend against claims, i.e. article 6 section 1 letter f of GDPR; in the event of concluding a contract with us, the basis for the processing of your personal data is article 6 section 1 letter b of GDPR – the necessity of data processing to perform the contract or to take action at your request, before concluding the contract. In order to fulfil the legal obligations incumbent on us, including in terms of issuing an invoice and its storage, the basis for the processing of personal data is article 6 section 1 letter c of GDPR; providing your data is voluntary, but necessary for the provision of services, correspondence, conclusion.

On the basis of separate consents, if they are granted, we will be able to process your personal data for the purpose of direct marketing and sending commercial information by electronic means of communication, including by e-mail and telephone. The legal basis for the processing of personal data in this case is the consent.

Processing of personal data in ongoing business contacts

As part of concluding contracts as part of business activities, the Data Administrator may be provided with personal data of employees or associates of the Data Administrator’s clients or contractors, or other contact persons in connection with the performance of the contract with the Data Administrator’s client or contractor. The scope of the personal data obtained is limited to the extent necessary to perform the contract, which include:

— identification data (including names and surnames);

— business contact details (e.g. e-mail address, telephone number);

— data on the function performed (official position, designation of the function performed, place of the function / position held, designation of the entity in which the person works);

— other data disclosed to the Data Administrator for work contacts and business relations.

If you do not provide your personal data directly to the Data Administrator, your personal data has been made available to the Administrator by:

— the entity on behalf of which you are acting or

— the entity that provided your personal data as necessary to maintain business contacts or a business relationship with this entity;

— the entity that provided your personal data in connection with the performance of the contract with the Data Administrator.

In the above cases, your personal data is processed for purposes resulting from the legitimate interests pursued by the Data Administrator (article 6 section 1 letter f of GDPR), for which the Data Administrator considers in particular: correct and effective implementation and performance of the contract with a client or contractor, including maintaining business contacts in connection with this contract, as well as conducting internal analyses, ensuring the security of the ICT environment, using internal control systems as well as investigating and defending one’s rights against claims and in court and out-of-court proceedings.

The Data Administrator, in order to create a database of its business contacts, based on its legitimate interest (article 6 section 1 letter f of GDPR), consisting in establishing and maintaining business relationships, also collects data of persons who may constitute important business contacts, e.g. as a result of business cards shared with him.

Administrator’s profiles on social networks (Facebook, LinkedIn)

The Data Administrator maintains profiles on social networks such as Facebook and LinkedIn. In connection with the users of these websites leaving comments or other forms of activity, the Data Administrator processes the personal data of these persons. The purpose of processing this data is based on the legitimate interest of the Data Administrator consisting in enabling the activity of the users of these portals on the Data Administrator’s profile, effective running of this profile by the Data Administrator, conducting statistical and analytical activities, and, if necessary, the purpose of investigating or defence against claims.

Cookies

We use cookies to facilitate the use of the Website, as well as to be able to optimize it and improve the quality of using our websites. Cookies are small text files that the website places on the user’s computer, mobile phone or other device when visiting the website. Cookies make it easier for the website providers to recognize your device the next time you visit their website. Most web browsers accept automatic cookies, but you can change your settings in this regard. If you do not want your personal data to be stored by cookies, you can configure your browser to notify you when each cookie is received.

During your first visit to the Website, you have the opportunity to read the information on the use of cookies.

If you do not agree to receive cookies at all, please set your browser to not automatically accept cookies. However, doing so may limit the correct display of certain features and refusing to accept them may limit the functionality of our Website.

We use the cookies listed below on our website.

Basic cookies

XSRF-TOKEN

Used for security purposes. It expires after the session ends.

hs

Used for security purposes. It expires after the session ends.

svSession

Used for logging in. It expires after the session ends.

SSR-caching

Used to indicate the system on which the page was rendered. It expires after a minute.

_wixCIDX

Used for monitoring and debugging the system. It expires after three months.

_wix_browser_sess

Used for monitoring and debugging the system. It expires after the session ends.

consent-policy

Used to manage the banner informing about cookies. It expires after 12 months.

smSession

Used to identify users logged in to the website. It expires after the session ends.

TS*

Used for security purposes. It expires after the session ends.

bSession

Used to monitor system performance. It expires after 30 minutes.

fedops.logger.sessionId

Used to monitor system stability / performance. It expires after 12 months.

wixLanguage

Used to save user preferences regarding the language version of the website. It expires after 12 months. This is a function cookie, unlike the cookies mentioned above, which are essential for the proper functioning of the website.

Third party cookies

Additionally, on our website we also use cookies generated by third party products and services used on the website. Their list is provided below.

Google Analytics

EC2 uses Google Analytics to analyse website statistics. This tool stores cookies on your computer. The data collected by Google Analytics is used to better understand visitors to our website and how they use it. The use of the Google Analytics tool is based on the legitimate interest of the Data Administrator, consisting in the creation of statistics and their analysis in order to optimize the Website.

Due to the fact that the provider of the Google Analytics tool, i.e. Google LLC, has infrastructure (servers) in the USA, and therefore there is a possibility that the data collected through this tool will go outside the EEA, Google LLC uses compliance mechanisms such as standard contractual clauses.

In order to prevent the recording of the data collected by cookies regarding the use of the Website by Google, it is possible to download the Google Analytics blocking browser add-on, which is available for download at: https://tools.google.com/dlpage/gaoptout

The data processing rules under Google Analytics are available at: https://support.google.com/analytics/topic/2919631.

__utma 
Persistent cookie used to determine the number of individual visitors to the website. It stores information on the number of visits, the time of the first visit, the previous visit and when the current visit began, as well as the time of the last interaction with the website. Some of the information is updated with each page view. It expires two years after being added or last updated.

__utmb
Session cookie used to determine the number of visits to the website. It stores a unique number, information about the number of tabs viewed during the current visit, and the start time of the current visit. Some information is updated with each version. It expires thirty minutes after being added or last updated.

__utmc
Session cookie used together with __utmb to determine if there is a new visit to the website (30 minutes of inactivity counted by Google Analytics is a new visit). It stores a unique number. It expires when the browser is closed.

__utmz
Persistent cookie used to measure traffic sources on the site and site navigation (for example, which search engine was used to access the site). It stores a unique number, information on the time of redirection from the traffic source, traffic source count and the name / type of traffic source, search terms from external search engines. It expires six months after being added or updated.

For more information on cookies placed by Google, see: http://www.google.com/intl/en/policies/technologies/types/.

Social media tools

Facebook

We use a social plugin from Facebook on selected pages.

If you visit a page with a Facebook plugin installed, a connection is made to the Facebook server, which allows the plugin to send information to your browser. In this way, information is sent to the Facebook server, including which of our tabs you have visited. Moreover, if you are logged in to Facebook, this information will be added to your Facebook account.

More information about Facebook cookies can be found here: https://www.facebook.com/help/cookies.

The principles and purposes of data processing by Facebook are included in the privacy policy available at: https://www.facebook.com/legal/FB_Work_Privacy.

LinkedIn

As with Facebook, we use a social plugin from LinkedIn on some of our pages. If you visit such a page, a connection to the LinkedIn server is also established, which allows the transmission of information to the browser regarding, among other, how you use our website. This information can also be added to your LinkedIn account as long as you are logged in to LinkedIn while using our website.

More information on cookies from LinkedIn can be found here:

https://pl.linkedin.com/legal/cookie-policy.

The principles and purposes of data processing by LinkedIn are set out in the privacy policy available at: https://www.linkedin.com/legal/privacy-policy

YouTube

The website displays videos from the YouTube channel belonging to EC2. Videos are displayed using the YouTube video player and cookies are used while the videos are displayed.

YouTube cookies, domain: youtube.com

VISITOR_INFO1_LIVE
Persistent cookie used if the user is already logged in to the YouTube profile and “likes” the video. It is also used to determine available bandwidth to optimize video quality and keep a record of the number of views. It expires after nine months.

PREF
Persistent cookie, which can be stored if the user clicks on the “share” button of an uploaded YouTube video. YouTube uses this cookie to retain settings from previous YouTube sessions during which the user viewed the videos posted. It expires after ten years.

use_hitbox
Session cookie used to calculate how many visitors have watched a video. It expires when the browser is closed.

For more information on YouTube (Google) cookies, please visit: www.google.com/intl/en/policies/technologies/types/.

Journalists and media representatives

We process the personal data of journalists and media representatives in order to communicate with the media, in particular: sending press materials, invitations to press conferences and media events and making telephone contact, as well as in order to track the activity of recipients of the addressed correspondence (legitimate interest of the Data Administrator, article 6 section 1 letter f of GDPR).

The personal data in question has been obtained directly from a journalist or media representative or comes from publicly available sources, in particular from websites, press announcements and other public information. These data include basic identification data in the form of name and surname, business contact details (e.g. e-mail address, telephone number), data on the function performed (official position, designation of the function performed, place of performing the function / holding the position, name of the entity where the person works).

Data safety

We maintain a high level of technical security in all systems (including traceability, disaster recovery, access restriction, etc.). We ensure that our employees have access to personal data only in situations when there is a strict need and only to the extent necessary. We have also taken steps to ensure that our subcontractors guarantee the application of security measures in the event of data processing on our behalf.

Rights related to the processing of personal data and how to use them:

In accordance with applicable law, you have the following rights:

— the right to access your data and receive a copy of it (article 15 of GDPR);

— the right to rectify (correct) your data (article 16 of GDPR);

— the right to delete data (article 17 of GDPR);

— the right to limit data processing (article 18 of GDPR);

— the right to data portability (article 20 of GDPR);

— the right to withdraw consent if such consent has been given – you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of the processing which was carried out on the basis of consent before its withdrawal;

— the right to lodge a complaint with the President of the Personal Data Protection Office (2 Stawki Street , 00-193 Warsaw) – if you believe that the Data Administrator is processing your personal data unlawfully, detailed access data are available on the Office’s website at www.uodo.gov. pl.

Right to object

You have the right to object to the processing of your personal data for reasons related to your particular situation (article 21, section 1 letters 4-5 of GDPR). When submitting an objection, you should indicate the special situation which, in your opinion, justifies the cessation of the processing of personal data covered by the objection by the Data Administrator. The data administrator will cease to process your personal data for the purposes set out above, unless he demonstrates the existence of applicable legally valid grounds for processing, overriding rights and freedoms, or that your data is necessary for the Data Administrator to establish, assert or defend claims.

The right to object to data processing for marketing purposes

You have the right to object at any time to the processing of your personal data for the purpose of direct marketing. If this right is exercised, the Data Administrator will cease to process data for this purpose.

Not all of the above rights are absolute, which means that you will not be entitled to all processing activities. Your permanent right is the right to lodge a complaint with the competent supervisory authority, if you believe that the processing of your personal data by us violates the provisions of the GDPR.

We encourage you to familiarize yourself with the above rights.

Rules for submitting requests related to the exercise of rights

We have appointed a Data Protection Officer, who can be contacted in any matter regarding the processing of personal data via the e-mail address: [email protected] or by correspondence to the address of the Data Protection Inspector EC2, Okopowa 47 Street, 01-059 Warsaw.

Your request to EC2 to exercise your rights should be submitted by writing an e-mail to the following e-mail address: [email protected] or by mail to the address: Okopowa 47 Street, 01-059 Warsaw.

If you have any questions regarding this privacy policy, please contact us by e-mail at [email protected].

Automated decision making, profiling

The Data Administrator does not use your personal data for profiling or as part of an automated decision-making system.

Changes to the Privacy Policy

We undertake to regularly review and update this Privacy Policy in order to adapt the provisions contained in the document to our activities and the manner in which we process personal data. The current version of the privacy policy is valid as of September 14, 2020.