PERSONAL DATA PROCESSING RULES FOR ASTRAFOX LTD.
We attach great importance on protecting personal data which is processed in connection with the provision of Amodit services. This includes ensuring data privacy, confidentiality, and compliance with the relevant legal provisions. Our goal is to enable you to obtain full knowledge of, and control over, the personal data which we process.
Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as the GDPR, imposes a number of obligations on all entities that collect, process, and use personal data. Astrafox makes every effort to meet all GDPR requirements and to constantly improve solutions with the aim of fully protecting personal data.
Below we present information on: how we process your personal data that we have obtained either directly from you or indirectly be legally permissible methods, how we ensure data security, and what rights you have as the subject of this personal data. Additionally, we inform you about cookie files and the rules concerning the processing of personal data entrusted to us.
- Unless otherwise stated directly, individual phrases in this document have the meaning given to them in the content of the Amodit Terms of Service (ToS) and the GDPR.
- The term “Personal Data” means all information about a natural person identified or identifiable by one or more specific factors, including name and surname, address and device IP, location data, Internet ID, and information collected through cookie files and other similar technologies.
- We carefully select and apply appropriate technical and organizational measures to protect personal data processing. Only properly trained and authorized persons have full access to the databases.
- Through the use of appropriate organizational, technical, and programming safeguards (in particular by using data encryption systems), we protect personal data against: disclosure to unauthorized persons, other cases of disclosure or loss, and destruction or unauthorized modification. Passwords are encrypted in such a way to make them unreadable by Astrafox and its agents.
- Data is sent using SSL protocols, however, Astrafox is not responsible for the elements of data transmission that take place within external e-mail systems which are used by the Customer or User to send or receive messages.
- Any personal data provided by the Customer, or by the User, or collected by Astrafox, is processed in a manner consistent with the requirements set out in Polish law, and above all in accordance with the GDPR.
CONTACT DATA FOR THE ADMINISTRATOR
- The administrator of personal data is Astrafox Ltd., with headquarters in Warsaw at ul. Poloneza 93, 02-826, and registered in the District Court for the capital city of Warsaw, in the 13th Commercial Department of the National Court Register, in the Register of Entrepreneurs under the number 0000193522, with NIP number 525-21-71-560, registered capital of 131 200 PLN – hereinafter this company will be referred to as the “Administrator” or “Astrafox“.
- The Data Protection Officer appointed by the Administrator is Przemysław Sołdacki.
- Contact with the Administrator or the Data Protection Officer appointed by the Administrator is possible through:
PERSONAL DATA PROCESSING
- We limit the processing of personal data to the minimum necessary for the safe and reliable provision of services to our clients. In connection with the provision of services, your personal data may be processed in the following areas:
- name and surname, and possibly the name of the company you represent or you are employed by
- company addresses or other addresses given in process of conducting business cooperation
- e-mail address
- contact telephone number
- business position or title
- computer IP addresses, cookies
- Personal data will be processed as indicated below:
- Pursuant to GDPR A 6 para. 1 (a), “the data subject has given consent to the processing of his or her personal data for one or more specific purposes;”: The Administrator may process data until the purpose of the consent is achieved or until consent is withdrawn.
- Pursuant to GDPR A 6 para. 1 (b), “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;”: The Administrator may take the actions necessary to fulfill the conditions of the contract until the terms have been achieved, specifically:
- Providing services by electronic means, and full use of the Amodit platform.
- Setting up, managing, and ensuring the operation of Accounts, handling documents, and technical support.
- Handling customer requests, e.g. via the contact form.
- Pursuant to GDPR Art. 6 1 (c), “processing is necessary for compliance with a legal obligation to which the controller is subject;”: The Administrator may process data to fulfill legal obligations such as handling complaints, accounting, tax, archiving, and any obligations set by courts or law enforcement agencies for as long as any legal obligation exists.
- Pursuant to GDPR Art. 6 1 (f), data may be processed in order to:
- enable the Administrator to verify that persons are authorized to represent the Customer – until the objectives in question have been achieved or until an effective, justified objection to further data processing is submitted,
- enable the Administrator to pursue possible claims or defend against claims – until the objectives in question have been achieved or until the limitation periods for claims have expired,
- enable the Administrator to complete a contract concluded with the contractor, including communication with persons designated by the contractor for contact – until the objectives in question are achieved or until an effective, justified objection to further data processing is submitted,
- enable the Administrator to carry out analytical and marketing activities of the Administrator’s products or services – until the objectives in question are achieved or until an effective, justified objection to further data processing is submitted.
- The Customer’s personal data may be processed in an automated manner (including in the form of profiling), however, this will not result in any legal consequences or otherwise significantly affect the Customer. Amodit’s personal data profiling consists of processing data (also in an automated manner), by using the data to evaluate certain information about the Client, in particular to analyze or forecast personal preferences and interests.
- Your personal data may be obtained from the following sources: directly from you, from the KRS (National Court Register) and the CEIDG (Central Record and Information of Economic Activity) registers, or may be provided by our Client – in particular concerning personal data of people designated as contacts.
RECIPIENTS OF PERSONAL DATA
- Recipients of personal data can be:
- entities processing personal data on the basis of personal data processing agreements concluded with the Administrator, including in particular: accounting offices, and companies providing IT, hosting, consulting and courier services,
- entities cooperating with the Administrator, in particular in the field of: legal services, debt collection, insurance, and the provision of postal services,
- entities authorized to obtain personal data on the basis of legal provisions (other administrators), e.g. tax offices, courts, and law enforcement agencies,
- other entities for their own purposes, including marketing purposes, if the data subject’s consent is obtained.
- Personal data may be transferred to entities external to the European Economic Area (EEA) which meet the proper levels of protection, in particular through:
- cooperation with entities processing personal data in countries for which an appropriate decision of the European Commission has been issued, and in the case of data transfer to the USA – cooperation with entities participating in the Privacy Shield program,
- use of standard contractual clauses issued by the European Commission,
- application of binding corporate rules approved by the competent supervisory authority,
- other security measures which ensure the appropriate level of protection based on appropriate legal
- The scope in which personal data is processed outside the EEA relates to the following purposes:
- internet analytics,
- customer services,
- accepting and processing payments,
- marketing Amodit services,
- maintenance and development of the Amodit platform.
RIGHTS OF THE PERSONAL DATA SUBJECT
- To the extent provided for by law, the subject of personal data has:
- The right to access their personal data – the right to obtain information on the processing of your personal data.
- The right to correct their personal data – the right to correct incorrect data or supplement incomplete data.
- The right to delete personal data, known as the “right to be forgotten” – the right to request deletion of data, incl. when processing is no longer necessary to achieve any of the purposes for which the data was collected.
- The right to data portability – the right to receive your personal data in a structured, commonly used, and machine-readable format, as well as the right to send the data to another administrator. This right applies to data processed on the basis of consent, contract, or automatically acquired data.
- The right to limit the processing of personal data – the right to request a restriction of operations performed on personal data.
- The right to lodge a complaint to a supervisory body – the right to file a complaint to the President of the Office for Personal Data Protection, to the following address: ul. Stawki 2, 00-193 Warsaw, if it is found that the processing of personal data violates the provisions on the protection of personal data.
- The right to object to the processing of personal data – regarding data processed on the basis of GDPR Art. 6 para. 1 (f). In the event of an objection, the Administrator will cease to process your personal data for these purposes, unless the Administrator demonstrates the existence of valid, legally justified grounds for further processing of the personal data that override the interests of the person who objected, or will constitute the basis for determining, investigating, or defending against claims.
- The right to withdraw consent at any time if the data processing is based on granting In order to withdraw consent, your request should be addressed to: email@example.com. Withdrawal of consent does not affect the lawfulness of the processing that was carried out before its withdrawal.
- Providing personal data is voluntary but to use the services provided by Astrafox it is necessary. Specifically, failure to provide personal data will result in the inability to provide the services specified in the Amodit Terms of Service (ToS).
- The Administrator uses “cookies”, i.e. small text files which are stored on the end user’s device (e.g. computer, tablet, or smartphone). Cookies can be read by the Administrator’s or other entities’ IT system
- The information collected through the use of “cookies” allows the customization of services and content to the individual needs and preferences of customers, users, and other Internet users visiting the Astrafox website, as well as to develop general statistics on the use of the Amodit platform by customers and users.
- Disabling the option to save “cookies” in a web browser does not prevent the use of Amodit in general but may cause some difficulties and limitations to
- The administrator stores “cookies” on the end user’s device and then gains access to the information contained therein for statistical and marketing purposes as well as to ensure the proper operation of the platform, in particular maintaining sessions after logging in, and recognizing users as new sessions begin.
- The Administrator hereby informs that it is possible to configure web browsers so that cookies are prevented from being stored on the end user’s device.
- The Administrator hereby informs that “cookies” can be deleted by the user after they have been saved by the Administrator. Deletion can be accomplished by certain web browser functions, by programs for this purpose, or by the appropriate tools available within the end user’s operating system.
- The Administrator herby informs that changing the configuration of the web browser to prevent or restrict the storage of “cookies” on the end user’s device may limit the functionality of the service. The deletion of “cookies” during a service session may lead to similar effects. This may possibly result in the inability to log into the platform or the termination of a session after logging in.
ENTRUSTING PERSONAL DATA
If the Customer entrusts personal data for processing, the provisions of this chapter shall constitute a contract for entrusting personal data processing as described in GDPR Art. 28 para. 3. The Customer may contact Astrafox for the purpose of negotiating and amending the content of these provisions, however any changes must be made and agreed to in written form.
- Under the provisions set out in this chapter, the Customer, who is the controller within the terms of the GDPR, entrusts Astrafox with the processing of personal data, and Astrafox accepts this order and undertakes to process the data within the scope, purpose, and conditions set out in the Amodit platform Terms of Service (ToS) (or a separate terms of service agreement concluded with the Customer), and in accordance with the provisions of this chapter as well as all legal regulations, in particular the provisions of the GDPR.
- The customer declares their entitlement to process, and to entrust the processing of, the personal data entrusted to Astrafox within the scope, purpose, and under the conditions specified in the Amodit platform Terms of Service (ToS) or separate agreement which supersedes the ToS.
- Astrafox declares that it has the knowledge, and the technical and organizational resources necessary to properly process personal data; and that the personal data processing system implemented by Astrafox, including the IT system, meets the current requirements of applicable law, including in particular the provisions of the GDPR.
PROCESSED PERSONAL DATA
- Processing will include the following types of personal data:
- User data: name, surname, e-mail address, telephone number, position.
- Recipient data from documents processed on the Amodit platform: name, surname, position, company name, e-mail address, telephone number.
- The processing will include the following categories of people: Amodit users who are employees or associates of the Customer, and recipients of documents processed on the Amodit platform.
- The processing of personal data by Astrafox will be performed only during the period of the provision of services, unless legal provisions require the subsequent processing of data.
- The nature and the purpose of personal data processing result directly from, and are limited only to, the tasks related to the provision of services on the Amodit platform.
- The nature of the processing is determined by the fact that Astrafox provides services in the field of business process optimization.
- The purpose of the processing is to fulfill Astrafox’s obligations related to the provision of the services mentioned in point a) above.
- Astrafox, in pursuit of achieving the purpose set out above, is entitled to perform the following operations on the personal data entrusted to it: collecting, recording, organizing, ordering, storing, adapting or modifying, downloading, viewing, using, disclosing through transmission, distributing or otherwise sharing, matching or combining, limiting, deleting or destroying.
RESPONSIBILITIES OF THE PROCESSOR
- Taking into account: the nature, scope, context, and purposes of processing; the state of technical knowledge; the cost of implementation; as well as the risk of violating the rights or freedoms of natural persons, Astrafox undertakes to ensure data security by implementing appropriate technical, organizational, and supervisory measures over the personal date entrusted to Astrafox throughout the entire period of data possession.
- Astrafox undertakes to keep confidential the personal data to which it has access in connection with the provision of services and not to disclose this data without the prior consent of the Customer.
- In connection with entrusting the processing of personal data, Astrafox processes personal data only on the basis of a documented client Documented client orders are specifically the acceptance of the Amodit platform Terms of Service (ToS) or any other service contracts concluded with the Customer.
- As best as it is able, Astrafox will provide the Customer with assistance in fulfilling the obligations referred to in GDPR Art. 32-36, which specifically cover: data protection, reporting breaches to supervisory authorities, notifying data subjects affected by data security breaches, data protection impact assessments, prior consultation with the supervisory authorities, and obligations towards data subjects, in particular with regard to answering requests in the scope of the rights specified in GDPR Section.
- The Customer is obliged to cooperate with Astrafox in the performance of services provided to the
- In the event that Astrafox has doubts as to the lawfulness of the instructions given by the Customer with regard to the personal data entrusted for processing, Astrafox will inform the Customer about these doubts and the Customer will be obliged to provide Astrafox with written explanations which remove the above-mentioned The Client’s explanations should be provided immediately, but not later than within 3 days from the date of being informed of the above-mentioned doubts.
PERSONS PROCESSING PERSONAL DATA ON BEHALF OF ASTRAFOX
- Astrafox undertakes to limit personal data processing access to only persons whose access results from the fact of providing services to the Customer.
- Personal data processing access can only be given to persons authorized by Astrafox, as referred to in GDPR Art. 29; these persons are trained in the provisions of the personal data protection regulations, and are obliged by Astrafox to keep confidential all information obtained as a result of data processing.
Astrafox undertakes to immediately notify the Customer of any breach of security regarding personal data, in particular including unauthorized access to personal data.
RIGHT TO INSPECT
- The Customer has the right to inspect Astrafox’s processing of the entrusted personal data with regards to compliance with the legal regulations and the provisions of this chapter. The inspection shall be carried out in the form of an audit by the Customer or an auditor authorized by the Customer. Conducting an audit must not overburden Astrafox. In particular, the Customer may exercise their right of inspection only during Astrafox’s working hours. Information on the date and scope of the audit must be provided in writing or by e-mail to Astrafox at least 30 days in advance.
- The Customer’s right to conduct an audit includes only one inspection per calendar year. The above limitation does not apply when a personal data protection authority obliges the Customer to conduct additional audits. All provisions of this section apply to each additional audit.
- The Customer will oblige the auditor to maintain confidentiality indefinitely with regard to any information obtained during or in the course of the audit, particularly in regard to any data that may be confidential data from Astrafox, its employees, or Customers.
SUPERVISION OF PERSONAL DATA
The Customer gives Astrafox a general consent that the processing of personal data under the Customer’s control can be subcontracted to other entities, with the reservation that the intention to subcontract the processing of personal data requires prior notification to the Customer in order to enable any of the Customer’s objections to be expressed. Without written objection by the Customer within 24 hours from the date of receipt of the notification, the sub-processor shall be deemed to have been accepted. Astrafox stipulates that an objection may result in the inability to provide further services to the Customer.
- Astrafox is liable to the Customer for the proper performance of the obligations in connection with personal data protection by a third party to whom personal data has been entrusted.
- Astrafox is liable for damages, except for lost profits, caused by its culpable actions in connection with failure to fulfill obligations that the law, including the GDPR, impose directly on the processor, or if Astrafox acted outside or against the lawful instructions of the Client.
TERMINATION OF PERSONAL DATA PROCESSING
After completing the provision of services to the Customer, Astrafox will return or permanently delete all personal data to which it had access as part of the provision of services to the Customer unless there exists a legal requirement for the further storage of personal data.