Legal basis for processing personal data
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as GDPR.
- The Act of 10 May 2018 (Journal of Laws of 2018, item 1000)
1. The Controller of your personal data is University of Social Sciences in Łódź, ul. Sienkiewicza 9, 90-113 Łódź.
2. The Data Protection Officer (DPO) appointed by the Data Controller supervises the correctness of personal data processing and can be contacted via email@example.com.
3. The processing of personal data is in accordance with the law and based on detailed provisions of law which are as follows:
- 1/ article 6 section 1 letter b GDPR – personal data is processed based on the agreement concluded with University of Social Sciences in Łódź (the necessity of personal data processing for the performance of an agreement to which you are a party, including the agreement on providing services by electronic means, for instance sending e-mails, surveys, inquiries etc.).
- 2/ article 6 section 1 letter c GDPR – the necessity of compliance with a legal obligation to which the Data Controller is subject ( for instance the storage of VAT invoices in order to comply with fiscal obligations).
- 3/ article 6 section 1 letter f GDPR – the necessity of personal data processing for the purposes of the legitimate interests pursued by the Data Controller or by a third party, in particular for marketing and promotion-related purposes.
- 4/ article 6 section 1 letter a GDPR – your consent to the processing of personal data
4. Your personal data shall be processed by the Data Controller for one or more following purposes:
- 1/ performance of an agreement with University of Social Sciences in Łódź (article 6 section 1 letter b GDPR),
- 2/ compliance with fiscal and accounting obligations (article 6 section 1 letter c GDPR),
- 3/ providing a free service by electronic means, provided you have given your consent to receiving commercial information (article 6 section 1 letter b GDPR),
- 4/ establishing, pursuing and defence in case of arising counterclaims (article 6 section 1 letter f GDPR),
- 5/ marketing purposes (article 6 section 1 letter f GDPR),
- 6/ analytical purposes (article 6 section 1 letter f GDPR),
- 7/ statistical purposes (article 6 section 1 letter f GDPR),
- 8/ record keeping purposes (article 6 section 1 letter f GDPR).
5. The recipients of your personal data are the entities who have been commissioned by the Data Controller to perform activities which involve processing of personal data (data processors): information system operators, payment system operators, SMS, e-mail marketing, promotion and recruitment system operators, law firms, accounting and audit firms.
6. Your personal data shall not be transferred to third countries i.e. outside European Economic Area and to any international organizations.
7. Personal data shall be processed for the period necessary to fulfil the purposes stipulated in point 4, until the termination of educational services provision, and after that until the prescription of potential claims or until the termination of legal obligations to store the data.
8. Remarketing used by the University allows to display advertisements to people who have already visited our Website or used the mobile application. Remarketing helps to recontact by displaying relevant advertisements on different devices which the user uses. The new remarketing tag consists of a global site tag and an event snippet which, by acting in compliance, allow to track conversions. The event snippet informs the global site tag when more detailed data about the remarketing event should be sent. After setting the data source for AdWords tags, the event snippets with a global site tag and an optional event snippet are displayed.
9. In relation to the processing of personal data by the Data Controller, the user has a right to:
- access, rectify and remove their personal data or limit the processing of personal data,
- raise the objection against processing,
- data portability,
- revoke their consent to processing of personal data for a particular purpose, provided such a consent has been given,
- lodge a complaint to a supervisory authority in relation to the processing of personal data by the Data Controller.
The above mentioned rights may be exercised in compliance with the principles stipulated in art. 16-21 GDPR, contacting the Data Controller via Data Protection Officer who can be contacted via firstname.lastname@example.org.
10. Providing the personal data by the user is always voluntary, however necessary for using the functions of the Website.
11. The Data Controller shall maintain confidentiality of all transferred personal data and shall apply all safety measures and measures providing the protection of processed personal data required by the regulations on personal data protection. The personal data is stored with due diligence and protected against the access by unauthorised persons. The personal data is processed solely on the territory of the European Union.
12. The Data Controller shall neither transfer nor trade the user’s personal data. The personal data shall not be transferred to other persons or institutions without the user’s consent. The personal data processed by the Data Controller may be disclosed to authorised state authorities at their request solely in accordance with the relevant provisions of law.
13. In order to use the function of the University's Website, the user shall provide their personal data, i.e. e-mail address, by filling in the contact / registration form. The legal basis for the processing of user’s personal data included in the contact / registration form is the consent given by the user. The data provided in the form is saved in the Data Controller’s database.
14. While contacting the University via e-mail, the user provides their e-mail address as the address of the sender’s message. Furthermore, other personal data may be included in the message. The legal basis for personal data processing in this case is the consent resulting from the initiation of contact. The user's personal data provided in relation to the e-mail contact is processed solely for the purpose of handling the inquiry. The content of the correspondence may be archived.
16. Cookies allow to:
- ensure the proper, expected functioning of the Website,
- improve the speed and security of using the Website,
- improve the functions available on the Website,
- use analytical tools,
- use marketing tools,
- provide social functions.
Own cookies. Cookies can be divided into own and third-party cookies. As far as own cookies are concerned, the Data Controller uses them for the purpose of proper functioning of the Website.
19. The Data Controller uses Facebook marketing tools in order to target the advertisements at users on this website. For this purpose, the Pixel tool provided by Facebook, which remembers the user’s visits, has been implemented in the Website's code. Facebook cookies are used for this purpose.
20. Using the Website involves sending the inquiries to the server on which the Website is stored. Each inquiry addressed to the server is saved in the server logs. The logs include among others: IP address, server date and time, information about the web browser and operating system used by the user. The logs are saved and stored on the server. The data stored in the server logs is neither associated with particular people using the Website nor used by the Data Controller in order to identify the user. The server logs are only auxiliary material used to manage the application and their content is not disclosed to anyone except the people authorized to manage the server.
22. The Data Controller shall endeavour to apply physical, technical and organisational measures providing the protection of processed personal data, in particular concerning protection of data against its unintentional or intentional damage, loss, change, unauthorised disclosure, use or access, pursuant to all applicable provisions.