in force as of 25 May 2018
Crido is committed to protect confidentiality and privacy of information provided to us. One of our key duties is to guarantee the proper protection and adequate use of personal data gathered through web sites.
Personal data means any information relating to an identified or identifiable natural person. Crido processes personal data for many purposes, and depending on a purpose, different manners of data collection, legal bases for the processing, use and disclosure of data as well as periods for which personal data will be stored will be applied. We gather only the personal data which have been freely provided to us by visitors on our websites, so that we could transfer information and provide services to such visitors, and upon a separate request also provide marketing information, to the extent adequate to the purpose of gathering and processing such data.
- Your personal data is managed by Crido Management Ltd LP, registered in Warsaw at ul. Grzybowska 5A, or any of the other Crido group member companies – for an up-to-date list of group companies, see: link (referred to as the “Administrator”). If you use our website and if, through our website, you consent to our collecting your personal data, disclosure of the relevant data administrator or joint data administrators responsible for your data processing depends on the purpose for which such data is collected. Information about the joint policy of the data administrators can be found at: link
- The Data Controller respects privacy of all visitors to our Website (including all sub websites, hereinafter jointly as the Website).
- The Data Controller undertakes to comply with the confidential character of the data collected in the course of visiting the Website.
- Personal data of the Website’s users shall be processed pursuant to the commonly applied requirements of law, including the Personal Data Protection Act of 10 May 2018 (Journal of Laws of 2018, item 1000), and requirements laid down in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (OJ L 119, 4.5.2016, p. 1; GDPR).
Purposes and operations of data processing
- The Data Controller collects data of people who, amongst other things, has registered on the Website via a dedicated registration form, contact form, application form, or signed up to a newsletter, etc.
- Our website user personal data is processed for the purpose of:
- providing services through our website and for the purposes listed in the relevant dedicated forms available on our website, including:
- subscribtion to an information distribution service, including commercial information (e.g., newsletters, notifications about blog posts, industry reports, etc.) and personal targeting of such information which might involve data analysis and profiling for marketing purposes;
- business enquiries;
- requests for a quote;
- requests for a quote and software sales process management as part of the HYPE innovation platform management or use of other IT tools;
- use of online applications or tools (e.g., project registration);
- distribution of publications / materials;
- registration for events (e.g., meetings, conferences, competitions, etc.) organised by the Administrator;
- participation in recruitment processes organised by the Administrator, including in particular submission of recruitment documents, e.g., CV and covering letter, etc., (more information about personal data processing during recruitment is available at Job Applicant Privacy Notice)
- website administration and management;
- data aggregation for the purposes of analysis and Service improvement; and
- communication with the user, including marketing activities, and for any other reason that is in conformity with the statutory requirements, where such communication is necessary to discharge contractual provisions, and for the purposes of direct marketing involving the Administrator’s own services, pursuant to art 6, para 1, pt b and pt f of the GDPR.
- Depending on the form of using the Website, a user may be asked to provide more or less information, including personal data, necessary to fulfill his / her wishes / requests.
- If a user wish to use the services provided by the Website, (s)he may be asked to provide data that will facilitate contact, in particular his/her full name, position, electronic mail address (email) and telephone number.
- Personal data of the Website’s users will be kept only for a necessary period of time (for example, during the period of the relationship with the Website’s user). The Data Controller will process the personal data provided by the user for direct marketing purposes as long as it is necessary to fulfill the user’s request / demand, unless the user provides his/her prior objection to the processing of his/her personal data for this purpose.
- Providing personal data is voluntary, but necessary for the provision of services such as, for example, sending marketing information in the form of a newsletter, etc.
- Depending on the decision made when filling in the appropriate form on the Website, the personal data provided, in particular an e-mail address and a mobile phone number, may be used by the Data Controller to send commercial information within the meaning of the Act of 18 July 2002 on the provision of electronic services (Journal of Laws of 2017, item 1219 – consolidated text as amended) and the Act of 16 July 2004 – Telecommunications Law (Journal of Laws of 2017, item 1907 – consolidated text as amended).
- Moreover, in the case of express consent, the Data Controller may send marketing information periodically to the email address provided by the user.
- The Data Controller has concluded a contract with a hosting company home.pl S.A., regarding entrusting the processing of personal data necessary for the provision of services, in the field of data entered by users of the Website in the relevant contact forms (e.g. name, surname, address, e-mail address). The Data Controller can share the data of the above mentioned service provider upon receipt from users.
- In disseminating any marketing information and our newsletter we aim to achieve the closest possible fit between our marketing information and the user’s business and professional preferences. The Administrator does not make any automated decisions as set out in art 22 of the GDPR. The Administrator analyses the user’s business and professional preferences in order to ensure an optimal fit between the user’s preferences and any marketing information or indeed any services offered by the Administrator or its partners.
Transfers of personal data
- The Data Controller does not collect personal data for the purpose of their transfer or sale to external entities, not associated with the Crido group, for marketing purposes. The personal data stored by us may be transferred for other strictly necessary purposes to the following entities:
- external organizations providing applications / functionalities or providing data processing services or IT services (e.g. information technology or cloud software providers) as well as entities providing identity management services, hosting and website management, data analysis , backup, security, etc;
- external organizations that provide assistance to us when providing goods or information or providing services;
- our partner HYPE Softwaretechnik GmbH with its seat in Germany for statistical purposes, only in the case of submitting a request for an offer within the HYPE innovation management platform and as part of the sales of the software sales process;
- law enforcement authorities, regulatory authorities and other government authorities or third parties if the requirement to transfer data results from applicable law.
- A person whose personal data is processed by the Data Controller is entitled to submit a request to exercise his/her rights in written or electronic form on the contact form available on the Data Controller’s website. This does not exclude the right of such a person to submit a request in a different form, which is acceptable and can be documented by the Data Controller. The request of the data subject should always indicate what personal data and actions are involved in the scope of the request. In a situation when the lodged request is not specified precisely, e.g. there is no indication of the scope of data or activities in the scope of the request, the Data Controller shall ask the subject to specify his/her request. If the request is left unspecified, the Data Controller has the right to suspend the fulfillment of the request until it obtains sufficient information from the data subject.
- Communication with the person whose data are processed in respect of the implementation of his/her rights takes place in a concise, transparent, understandable and easily accessible form and clear and simple language.
- A response to the request will be given with no undue delay, no later than one month after receipt of the request, and will contain information on the action taken in connection therewith. If it is necessary to extend this deadline, at the latest within one month of receipt of the request, the Data Controller provides the data subject with information about the extension of the deadline for considering the request and provides reasons for the delay, e.g. due to the complex nature of requests or the number of requests. The extension cannot take more than two months. If the data subject’s request is not granted, at the latest within one month of receipt of the request, the Data Controller will provide information about refusal to take action in relation to the request, reasons for inaction, possibility of lodging a complaint to the supervisory body and using legal protection measures before the court.
- The Data Controller communicates with persons whose data are processed in Polish. If a language other than Polish is used normally in communication with a given entity, the Data Controller will answer in that language.
Your right to request access to your personal data
- The data subject is entitled to obtain from the Data Controller confirmation whether the Data Controller processes his/her personal data, and if this is the case, the data subject is entitled to access the data and the following information:
- the purpose of processing;
- categories of the processed personal data;
- recipients or categories of recipients to whom the personal data have been or may be disclosed, in particular recipients in third countries or international organizations;
- the planned period of personal data processing, if possible, and when this is not possible, the criteria for determining this period, assuming that this period is limited to the necessary minimum;
- the right to require the Data Controller to rectify, delete or limit the processing of personal data of the data subject and to raise objections to such processing;
- the right to lodge a complaint to the supervisory body with regard to personal data if the data subject believes that the processing violates his/her rights;
- if personal data have not been collected from the data subject – all information about their source;
- information on automated decision-making, including profiling, relevant information on the rules of decision-making, and on the importance and anticipated consequences of such processing for the data subject.
Right to rectify personal data
- The data subject has the right to request the Data Controller to immediately correct personal data concerning him which are incorrect.
- The data subject has the right to request supplementing incomplete personal data, also by submitting an additional statement.
Right to have your data erased (“right to be forgotten”)
- In the event that the data subject wants to exercise vis-à-vis the Data Controller the right to request the erasure of his/her data, such a request should be expressed in the form of a clear statement indicating the scope of the request.
- The Data Controller may not grant the data erasure request resulting from the withdrawal of consent by the data subject, if the subject’s consent was not the only condition for the processing of his/her data, in particular when the purpose of data processing remains to be the implementation of the contract binding the data subject and the Data Controller, or processing of these data is necessary to fulfill the legal obligation of the Data Controller.
- The processing of personal data by the Data Controller despite the request for erasure is legal, if it is necessary in particular to comply with the legal obligation for the Data Controller, to perform by the Data Controller tasks in the public interest, for statistical purposes or for the establishment, exercise or defense of claims.
Right to restriction of personal data processing
- The data subject has the right to request the Data Controller to limit his data processing when, for example:
- the data subject contests the accuracy of his/her personal data (for a period enabling the Data Controller to verify the accuracy of the personal data);
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of claims;
- the data subject has objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of the Data Controller override those of the data subject.
- A request to restrict data processing should be submitted in the form of an explicit statement of the data subject indicating the scope of the request.
- The restriction of data processing by the Data Controller may be effected, in particular, by marking stored personal data in the system in order to restrict their future processing.
- The Data Controller may additionally, in order to restrict the processing of personal data, in particular:
- temporarily transfer selected personal data to another processing system;
- prevent the user of the IT system used by the Data Controller from accessing selected data;
- restrict by technical means the processing in automated data sets in such a way that personal data are not subject to further processing or cannot be changed.
- Personal data the processing of which has been restricted may be processed by the Data Controller, with the exception of storage, only:
- with the consent of the data subject;
- to establish, exercise or defend claims, or to protect the rights of another natural or legal person;
- due to important reasons of public interest of the European Union or a Member State.
Right to data portability
- The data subject, at his/her request, receives the personal data concerning him/her, which (s)he has provided to the Data Controller, in a structured, commonly used and machine-readable format, e.g. doc, .docx, .pdf, etc., and has the right to request that those data be transmitted to another controller. The data subject also has the right to transmit those data to another controller without hindrance from the Data Controller.
- The data subject has the right to request the transfer of data only in relation to the data that (s)he provided to the Data Controller him-/herself, if the data are processed by the Data Controller based on the consent of the data subject or on the basis of the contract to which the data subject is a party.
- The data to be transferred are:
- data processed by the Data Controller in an automated manner. Data in paper collections are not transferred;
- data that has been provided to the Data Controller by the data subject knowingly and actively.
- The Data Controller will ensure the possibility of obtaining a file containing data to be transferred to the private device of the data subject. If the data subject does not use electronic devices, the Data Controller may allow submission of the application in a different form, e.g. paper.
Right to object to personal data processing
- If the data subject lodges an objection, (s)he should indicate the specific purpose of data processing (s)he opposes and explain his/her particular situation.
- The Data Controller grants the objection or refuses to grant it, after analyzing whether the particular situation of the data subject is overriding the legitimate grounds for processing by the Data Controller. Pending the analysis, the Data Controller, at the explicit request of the data subject, applies the processing restriction on the basis of Article 18(1) GDPR.
- When refusing to grant the objection, the Data Controller explains to the data subject in an accessible way the reasons for which he believes that the interests, rights and freedoms of the data subject are not overriding.
- The Data Controller may process data for direct marketing purposes (including profiling) based on his legitimate interest. If the data subject submits an objection to such type of processing, the Data Controller will not process data for this purpose any more.
- The Data Controller grant the objection of the data subject to the processing, filed in accordance with Article 21(1) GDPR, unless there are legitimate grounds for processing that override the right of opposition and the interests of the opponent.
Right to lodge a complaint with a supervisory authority (Head of the Office of Personal Data Protection)
- If the data subject believes that the processing of his/her personal data violates his/her rights, (s)he may file a complaint with the supervisory body regarding personal data protection.
- Subject to our website user’s prior consent, the Administrator can store some information on the user’s computer using cookies.
- Cookies are used, among other things, to: help the user log in (store the user’s name if the user registers or logs in to the website); store selected user preferences; support the user with a view to improving the website.
- Within the Website, two basic types of cookies are used:
- session cookies – temporary files that are stored on the user’s end device until logging out, leaving the website or turning off the software (web browser);
- persistent cookies – they are stored in the user’s end device for the time specified in the cookie file parameters or until they are removed by the user.
- In many cases, software used for browsing websites (web browser) allows cookies to be stored in the user’s end device by default. The Website’s users may change their cookie settings at any time. These settings may be changed in particular in such a way as to block the automatic handling of cookies in the web browser’s settings or to inform about their every posting in the device of the Website’s user. Detailed information about the possibilities and ways of handling cookies are available in the software (web browser) settings.
- The following types of cookies are used on the Website:
- “necessary” cookies, enabling the use of services available on the Website, e.g. authentication cookies used for services that require authentication within the Website;
- cookies used to ensure security, e.g. used to detect fraud in the field of authentication within the Website;
- “performance” cookies, enabling the collection of information on the use of the websites of the Website;
- “functional” cookies, allowing “remembering” the settings selected by the user and personalizing the user interface, e.g. in terms of the language or region of the user’s origin, size of the font, appearance of the website, etc.;
- “advertising” cookies, enabling users to provide advertising content more tailored to their interests;
- “analytical” cookies collect information about the use of a given website, such as pages visited by a given user and any error messages; they do not collect information enabling identification of the user, and the collected data are aggregated in such a way that they become anonymous. Analytical cookies are used to improve the website’s performance.
- More information about cookies is available at www.wszystkoociasteczkach.pl, www.allaboutcookies.com or in the “Help” section in the browser’s menu.
Threats related to the use of the Website
- The user should be aware that the data transmitted on the public telecommunications network between his/her device and the Website are not completely secure. The Data Controller is not able to provide full protection and security of these data when communicating with the Website. Nevertheless, the Data Controller guarantees that it will take appropriate actions to secure data sent to it electronically, in particular personal data provided by the user through electronic forms.
- The Website may contain links to websites or sites of third parties. These third-party links may be related to their own service activities provided electronically and privacy principles, to which compliance the user undertakes after clicking on the link and leaving the Website.
Transfer of control
There may be circumstances in which the Data Controller decides to sell or transfer all or part of his business or assets. In this case, personal data of users may be transferred or made available by the Data Controller to third parties within and in connection with the planned transaction. In such situations, the Data Controller shall ensure that third parties are obliged to provide adequate protection for personal data collected through the Website. In addition, the Data Controller will inform the users of the Website about such circumstances by updating the list of companies from the group in the manner specified in clause 1.1 hereof, and users will have the right to request their data to be deleted.
Should you have any questions with regard to the processing of personal data by the Data Controller, please contact the Data Controller at firstname.lastname@example.org or +48 22 324 59 00.