PRIVACY POLICY

Effective 30 August 2022

Crido attaches particular importance to protecting the confidentiality and privacy of the information entrusted to us. One of our key responsibilities is to ensure adequate protection and proper use of personal information collected through our websites.

Personal data means information about an identified or identifiable natural person. An identifiable natural person is one who can be identified directly or indirectly, in particular by an identifier such as a name, an identification number, location data, an online identifier, or one or more specific factors that determine the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person.

Crido processes personal data for various purposes, and depending on the purpose, different methods of collection, the legal basis for processing, use, disclosure and retention periods may apply. We collect only such personal data voluntarily provided by visitors to our websites in order to provide them with information or services, and – in the case of a separate, explicit request – also information of a marketing nature, and to the extent appropriate to the purpose of collecting and processing such data.

This Privacy Policy (“Privacy Policy“) informs you how we collect, use and protect the personal data you provide to us and what rights you have as a data subject.

Introduction

1. The administrator of your personal data is CRIDO Doradztwo A. Puncewicz spółka jawna, with its registered office in Warsaw, ul. Towarowa 28, or another company from the Crido Group – a current list of group companies with their address details can be found here: link (the “Administrator” or “Crido“). If you use our sites and voluntarily provide us with your personal data through them, the designation of the relevant responsible party or parties as joint administrators for their processing depends on the purpose for which we collect them. Information on the essential content of the co-administrator arrangements can be found here: link.
2. The Administrator respects the privacy of all individuals who visit our Site (including: all of its sub-sites; collectively, the “Site“).
3. The Administrator undertakes to respect the confidential nature of the data collected when users use the Site.

Principles of data processing

The processing of users’ personal data is an important part of the process of providing users with Crido products and services.

The personal data of the Site’s users will be processed in accordance with the requirements of generally applicable law, including the Act of 10 May 2018 on the Protection of Personal Data (i.e. Journal of Laws of 2019, item 1781) and the requirements set forth in the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free flow of such data and repealing Directive 95/46/EC (Official Journal of the EU L of 2016, No. 119, p. 1; “GDPR“).

Users’ personal information is their property. Crido strives not to make assumptions about a user’s privacy preferences in advance, and strives to design its services in such a way that a user can opt out of sharing his or her personal information with Crido, or can choose whether to give Crido appropriate consent.

If your personal data is processed for a legitimate interest and your need to protect your privacy does not outweigh that interest, Crido may choose to process certain personal data without obtaining your consent.

Crido strives to process only personal data of users that are sufficient, adequate, appropriate to the purpose for which they were collected.

Crido adheres to the principle of transparency regarding what personal data it processes and for what purpose. Upon request, Crido provides information about the processing of your personal data.

Crido complies with applicable laws, rules and regulations regarding privacy and data protection. We adapt the rules for processing your personal data described in this Privacy Policy to ensure compliance with the law.

In cases where we process your personal data, we strive to ensure that it is correct and up-to-date. We also try to delete or correct incorrect or incomplete personal data.

Crido uses appropriate technical and organizational measures to ensure the protection of your personal data against accidental or unlawful destruction, accidental loss or modification, unauthorized disclosure or access, and other forms of unlawful processing. Crido endeavors to ensure that the level of security and the measures in place to protect your personal data are appropriate to the risk factors associated with the nature and use of such personal data.

Purposes and operations of data processing

1. The Administrator collects the data of persons who, inter alia:
   • have registered on the Site through a dedicated registration form, contact form, application form,
   • have ordered a newsletter service,
   • have ordered products and services offered by Crido.
2. Personal data of users of the Site will be processed for the following purposes:
   • The performance of the services provided by Crido through the Site and for the purposes indicated in the relevant and dedicated forms of the Site, including but not limited to:
     • signing up to receive information, including commercial information (e.g. newsletters, blog notifications, industry reports, etc.) and personalizing the information provided, including data analysis and profiling for marketing purposes;
     • submitting a contact inquiry;
     • submitting a request for quotation;
     • submitting a request for quotation and handling the process of selling software within the HYPE innovation management platform or other IT tools;
     • use of online applications or tools (e.g., project submission);
     • distributing publications/materials;
     • signing up for events (e.g. meetings, conferences, contests) organized by the Administrator;
     • enrolling in training courses organized by Crido;
     • enrolling in programs organized by Crido (e.g., Alumni CRIDO; detailed information on the processing of personal data in the Alumni CRIDO program is available here: link );
     • participating in the recruitment process conducted by the Administrator, including in particular the submission of recruitment documents, e.g. CV (resume) and cover letter, etc. (detailed information on the processing of personal data in the recruitment process is available here: );
   • Monitoring and enforcing compliance with the terms of use of the Site;
   • Administration and management of the Site;
   • Aggregate data to analyze and improve the operation of the Site, and
   • Communicating with the user, including marketing activities, as well as for other purposes in accordance with applicable law, insofar as required for the performance of the contract, and for direct marketing of the Administrator’s own services.
3. Depending on the form of use of the Site, you may be asked to provide more or less information, including personal information, necessary to carry out your wishes/requests.
4. If you wish to use the services provided through the Site, you may be asked to provide data to ensure that you can be contacted, in particular your name, position, company name, address data, electronic mail address (e-mail) and telephone number.
5. In the case of separate consents, required under the Act of 18 July 2002 on the Provision of Electronic Services and the Act of 16 July 2004 – Telecommunications Law, the Administrator may send periodic marketing information to the electronic mail address (e-mail) or telephone number provided by the user. In sending marketing information and newsletters, we aim to tailor marketing messages to the user’s business and professional preferences as much as possible.
6. The personal data of Site users will be kept only for the period necessary to fulfill the purposes of the processing, but no longer than the expiration of the statute of limitations for any claims that may arise from the relationship with the Site user. In the case of processing a user’s personal data for direct marketing purposes, the personal data will be processed for as long as necessary to fulfill the user’s wish/request, unless the user objects in advance to the processing of his/her personal data for such purposes.
7. Provision of personal data is voluntary, but necessary to provide services such as sending marketing information in the form of a newsletter, enabling participation in an event or training, providing access to materials/publications.
8. The Administrator has entered into an agreement with the hosting company home.pl S.A. to entrust the processing of personal data necessary for the performance of services, to the extent of data entered by Site users in the relevant contact forms (e.g. name, surname, address data, e-mail address). The Administrator may share data with the above-mentioned service provider upon receipt of such data from users.
9. The hosting company will process the personal data of the Site users, in the name and on behalf of and to the extent designated by the Administrator. The hosting company will process the above personal data of the Site users for the duration of the hosting agreement. The hosting company is obliged to comply with all the rules contained in this Privacy Policy.
10. No automated decisions within the meaning of Article 22 of GDPR are made in the Administrator’s operations. The Administrator uses the analysis of business and professional preferences to optimally match the user with both marketing communications and services offered by the Administrator or co-administrators.

Legal grounds for processing personal data

1. Crido has the following legal grounds to justify the processing of users’ personal data:

• Article 6(1)(a) GDPR – consent is the basis for Crido’s processing of personal data for the following purposes, inter alia:
• • related to the organization and conduct of the recruitment process;
  • related to enabling the user to participate in an event (e.g. meeting, conference, contest) organized by the Administrator;

Please be advised that the revocation of any processing consent granted will not affect the lawfulness of the processing carried out on the basis of consent prior to its revocation;

• Article 6(1)(b) GDPR – performance of the contract is the basis for Crido’s processing of personal data for purposes related to enabling the user to participate in training courses organized by Crido. Provision of data is voluntary, but necessary for conclusion and performance of the agreement by Crido;
• Article 6(1)(b) GDPR – the legal basis for the processing of users’ personal data is for Crido to take action (at the user’s request) to contact the user in order to establish cooperation. In this regard, the provision of personal data is necessary to undertake the abovementioned activities;
• Article 6(1)(f) GDPR – Crido has a legitimate interest to process personal data for the following purposes, inter alia:
  • direct marketing of products and services offered by Crido;
  • sending commercial information;
  • monitoring and enforcing compliance with the terms of use of the Site;
  • administration and management of the Site;
  • aggregate data for analysis and improvement of the Site’s operation;
  • communicating with the user;
  • archival and evidentiary purposes, enabling us to pursue our legitimate interest of securing information in the event of a legal need to prove facts, to realize the rights of data subjects, as well as the possible establishment, investigation or defense against claims.

Transfer of personal data

1. The Administrator does not collect personal data for the purpose of transferring or selling it to external entities, unrelated to Crido Group companies, for marketing purposes. For other only necessary purposes, personal data held by us may be transferred to:

• Third-party organizations providing applications/functions or providing data processing or IT services (e.g., information technology providers, cloud-based software, and providers of identity management, website hosting and management, data analytics, backup, security, etc.); and
• Third-party organizations that assist us in providing goods or information or services;
• Our partner HYPE Softwaretechnik GmbH, Germany, for statistical purposes, only in the event of a request for quotation within the HYPE innovation management platform and in the handling of the software sales process;
• Law enforcement agencies, regulatory authorities and other governmental authorities, or to third parties, if the requirement to transfer data is based on applicable laws.

Users’ rights

1. A person whose personal data is processed by the Administrator is entitled to make a request for the exercise of his or her rights in writing or electronically on the contact form provided on the Administrator’s website . This does not exclude the right of such person to submit a request in any other form that is acceptable and documentable to the Administrator. The data subject’s request should always indicate what personal data and actions for the fulfillment of the request it concerns. In a situation where the submitted request is not specified precisely, e.g. by not indicating the scope of the data or the activities for the execution of the request, the Administrator will ask the data subject to specify the request. If the request remains unspecified, the Administrator has the right to withhold the execution of the request until sufficient information is obtained from the data subject.
2. The fulfillment of the submitted request will be carried out in accordance with this Privacy Policy, within a reasonable period of time taking into account the costs, the degree of difficulty of the request and the principles indicated in this Privacy Policy.
3. Communication with the data subject regarding the exercise of his or her rights will be in a concise, clear, understandable and easily accessible form and in clear and simple language.
4. The request will be answered without any undue delay, at the latest within one month of receipt of the request, including information on the actions taken in connection with it. If it is necessary to extend this deadline, the Administrator will, no later than one month after receipt of the request, provide the data subject with information about the extension of the deadline for processing the request and state the reasons for the delay, e.g. due to the complicated nature of the requests or the number of requests. The deadline may not be extended by more than two months. If the data subject’s request is not granted, the Administrator will, no later than one month after receipt of the request, provide information about the refusal to act on the request, the reasons for not acting, the possibility of lodging a complaint to the supervisory authority and exercising legal remedies before the court.
5. The Administrator communicates with the subjects whose data it processes in Polish. In the event that a language other than Polish is used as standard in communication with the subject, the Administrator will respond in the language in question.
6. The right to request access to your own personal data
   • The data subject is entitled to obtain confirmation from the Administrator as to whether the Administrator is processing his/her personal data, and if this is the case, the data subject is entitled to obtain access to the data and the following information about:
   • the purpose of processing;
   • categories of personal data processed;
   • recipients or categories of recipients to whom personal data have been or may be disclosed, in particular recipients in third countries or international organizations;
   • the planned period of processing of personal data, as far as possible, and when this is not possible, about the criteria for determining this period, with the assumption of limiting this period to the necessary minimum;
   • the right to require the Administrator to rectify, erase or restrict the processing of the data subject’s personal data and to object to such processing;
   • the right to lodge a complaint with the supervisory authority for personal data if the data subject believes that the processing violates his or her rights;
   • if the personal data was not collected from the data subject – any information about its source;
   • information about automated decision-making, including profiling, relevant information about the principles of decision-making and the significance and anticipated consequences of such processing for the data subject.
7. Right to rectify personal data
   • The data subject has the right to request from the Administrator immediate rectification of personal data concerning him/her that is inaccurate.
   • The data subject has the right to request completion of incomplete personal data, including by providing an additional statement.
8. The right to erasure of data (the right to “be forgotten”)
   • If a data subject wishes to exercise against the Administrator  the right to request erasure of his or her data, such request should be expressed in the form of a clear statement indicating the scope of the request in question.
   • The Administrator may disregard a request for erasure resulting from the data subject’s withdrawal of consent where the data subject’s consent was not the sole premise for the processing of his or her data, in particular where the purpose of the processing is still the performance of a contract binding the data subject and the Administrator, or where the processing of the data is necessary for the fulfillment of a legal obligation incumbent on the Administrator.
   • The Administrator’s processing of personal data, despite a request for deletion, is lawful if it is necessary, in particular, for the Administrator to comply with a legal obligation, for the Administrator to perform tasks carried out in the public interest, for statistical purposes or to establish, assert or defend claims.
9. The right to restrict the processing of personal data
   • The data subject has the right to request a restriction of the processing of his/her data by the Administrator when, for example:
     • the subject questions the accuracy of his/her personal data (for a period of time that allows the Administrator to verify the accuracy of his/her data);
     • processing is unlawful and the data subject objects to erasure, requesting instead that processing be restricted;
     • the Administrator no longer needs the personal data for the purposes of processing, but they are needed by the data subject to establish, assert or defend claims;
     • the data subject has objected to the processing under Article 21(1) of GDPR, until it is determined whether the legitimate grounds on the part of the Administrator override the grounds for the data subject’s objection.
   • The request for restriction of data processing should be made in the form of an explicit statement by the data subject indicating the subject scope of the request.
   • Restriction of processing by the Administrator can be implemented, in particular, by marking the stored personal data in the system to limit its future processing.
   • The Administrator  may additionally, in order to restrict the processing of personal data, in particular:
     • temporarily transfer selected personal data to another processing system;
     • prevent a user of the IT system used by the Administrator from accessing selected data;
     • limit by technical means the processing in automated collections of the data in such a way that the personal data are not subject to further processing or alteration.
   • Personal data restricted, the Administrator may process, except for storage, only:
     • with the consent of the data subject;
     • in order to establish, assert or defend claims, or to protect the rights of another natural or legal person;
     • due to important reasons of public interest of the European Union or a Member State.
10. Right to data portability
    • The data subject will, upon his/her request, receive in a structured, commonly used machine-readable format, e.g. .doc, .docx, .pdf, etc. personal data concerning him/her and provided to the Administrator by the data subject, processed by the Administrator, and has the right to request that such data be sent to another controller. He/She also has the right to send this data to another controller without hindrance from the Administrator.
    • The data subject has the right to request data portability only with respect to data that he or she has provided to the Administrator himself or herself, if the data are processed by the Administrator on the basis of the data subject’s consent or on the basis of a contract to which the data subject is a party.
    • The data to be transferred are:
      • data processed by the Administrator in an automated manner. Data in paper collections are not transferred.
      • data that has been provided to the Administrator by the data subject knowingly and actively.
      • The Administrator will provide the possibility of receiving a file containing the data to be transferred on the data subject’s private device. If the data subject does not use electronic devices, the Administrator may allow the request to be submitted in another form, such as paper.

The right to object to the processing of personal data

1. If the data subject lodges an objection, he or she should indicate against which specific purpose of the processing he or she is objecting and demonstrate what his or her particular situation is.
2. The Administrator will grant or refuse to grant the objection, after an analysis of whether the particular situation of the data subject overrides the legitimate grounds for processing by the Administrator. For the duration of the analysis, the Administrator will, at the express request of the data subject, apply a restriction of processing pursuant to Article 18(1) of GDPR.
3. When denying an objection, the Administrator will explain to the data subject in an accessible manner the reasons why he/she considers that the interests, rights and freedoms of that person, do not prevail.
4. The Administrator may process data for direct marketing purposes (including profiling) based on its legitimate interest. If the data subject objects to such processing, the Administrator  will no longer process the data for this purpose.
5. The Administrator will take into account the data subject’s objection to the processing, brought in accordance with Article 21 (1) of GDPR, unless there are legitimate grounds for the processing overriding the right to object and the interests of the objector.
6. The right to file a complaint with the supervisory authority (President of the Office for Personal Data Protection)
7. If the data subject believes that the processing of his or her personal data violates his or her rights, he or she may file a complaint with the supervisory authority for personal data protection, which is the President of the Office for Personal Data Protection, ul. Stawki 2, 00-193 Warsaw.

Use of cookies

1. Subject to the Site user’s consent, the Administrator may store certain information on the user’s computer using cookies.
2. Cookies are used for, inter alia: helping the user log in (e.g., remembering the user’s username if the user registers or logs in); remembering certain user preferences; helping the Administrator improve the Site.
3. The Site uses two main types of cookies:
   1. “session” (session cookies). “Session” cookies are temporary files that are stored on the user’s terminal device until the user logs out, leaves the website or shuts down the software (web browser);
   2. “permanent” (persistent cookies). “Persistent” cookies are stored on the user’s terminal device for the time specified in the parameters of the cookies or until they are deleted by the userIn many cases, web browsing software (web browser) allows cookies to be stored on the user’s terminal device by default. Users of the Site may change their cookie settings at any time. These settings can be changed, in particular, in such a way as to block the automatic handling of cookies in the settings of the web browser or inform about their placement on the Site user’s device each time. Detailed information about the possibility and methods of handling cookies is available in the settings of your software (web browser).
4. The user may give the consent referred to above through the settings of the software installed in the telecommunications terminal device used by the user or the configuration of the service – i.e.: to disable or restrict the use of cookies, the user may change the settings of his/her Internet browser. However, the consequence of such action may be malfunction or loss of access to some subpages of the Site.
5. The following types of cookies are used on the Site:
6. The Administrator informs that restrictions on the use of cookies may affect certain functionalities available on the Site.
7. More information about cookies is available at www.wszystkoociasteczkach.pl, www.allaboutcookies.com or in the “Help” section of your web browser menu.

Risks associated with use of the Site

1. The user should be aware that the data transmitted over the public telecommunications network between his/her device and the Site is not completely secure. The Administrator is not able to ensure full protection and security of such data when communicating with the Site. Nevertheless, the Administrator guarantees that it will take appropriate measures to secure the data sent to it electronically, in particular the personal data provided by the user through electronic forms.
2. The Site may contain links to third-party sites or services. These third-party links may be related to their own electronically provided service activities and privacy policies, which you agree to abide by when you click on a link and leave the Site.

Transfer of management

There may be circumstances in which the Administrator decides to sell or transfer all or part of its business or assets. In such a case, your personal information may be transferred or shared by the Administrator with third parties as part of and in connection with the proposed transaction. In such situations, the Administrator will ensure that third parties are obliged to provide adequate protection for personal data collected through the Site. In addition, the Administrator will inform Site users of such circumstances by updating the list of group companies, as set forth in paragraph 1 in the Introduction section, and users will have the right to request deletion of their data.

Changes to the Privacy Policy

This Privacy Policy may change from time to time. Any changes to the Privacy Policy will be posted on the Site.

Contact

If you have any questions about the Administrator’s processing of your personal data, you may contact the Administrator at the e-mail address crido@crido.pl and at the telephone number +48 22 324 59 00.